DOC PREVIEW
Stanford CS 155 - Electronic Voting

This preview shows page 1-2-3 out of 8 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 8 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 8 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 8 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 8 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1Electronic VotingDan Boneh John MitchellCS 155 June 1, 2004Issues Voting system security requirements• Secret ballot, reliable counting, voter anonymity, … Voting technology• History: Paper ballots, lever machines, …• Direct Recording Electronic (DRE) systems  Case studies• Diebold case study• Internet voting (retracted by gov’t) Cryptographic approaches Politics• Voting Rights Act bills H.R. 3295 and S. 565 • California Secretary of State Kevin Shelley• IEEE Standards committeeVoting Principles Voter eligibility• No voter should have more than one vote Secret Ballot• Votes cast in secret• Voter should be confident that vote cast correctly Reliable counting• Public system, typically with officials from all parties• Ability to recountSome election officials may prefer not to do this Anonymity• Voter should not leave voting booth with any proof of the way he/she votedRecent History 2000 Presidential Election• Hanging chad, contested absentee votes Help America Vote Act (HAVA, HR 3295, Oct 02)• Mandates voting process reform in all states• Voters must be able to verify ballots before they are cast • “permanent paper record with a manual audit capacity” • voter must have “opportunity to change the ballot or correct any error before the permanent paper is produced“ Electronic voting• Touchscreen, Direct Recording Electronic (DRE) systems• Proponents argue HAVA requirements are met if the voter verifies a screen version of the ballot, and if a paper report can be printed later for audit purposesPunch card device Punched card2Other alternativesMechanical lever machines• Voter flips mechanical levers• Machine reports votes• Tamper-proof counter similar to car odometerOptical scan of paper ballots• Like our teaching evaluations …• Fairly reliable counting method• Requires pencil and paper ballotsLever machineTouch-screen voting  Usability• Customized ballot• Easy to read, vote• Accessible to blindwear headphones Vote counting• DRE system provides quick count Voter “authentication”• smartcard reader (lower-right corner)Diebold AccuVote-TS http://www.sos.state.ga.us/How votes are castIEEE SpectrumOct 2002Problems with electronic voting Washington Post 11/6/2003• Software glitch in November’s election in Virginia• Advanced Voting Solutions touchscreen machines• “Voters in three precincts reported that when they attempted to vote for [Thompson], the machines initially displayed an ‘x’ next to her name but then, after a few seconds, the ‘x’ disappeared. In response to Thompson's complaints, county officials tested one of the machines in question yesterday and discovered that it seemedto subtract a vote for Thompson in about ‘one out of a hundred tries,’ said Margaret K. Luca, secretary of the county Board of Elections. ”http://www.washingtonpost.com/wp-dyn/articles/A6291-2003Nov5.html Indianapolis Star 11/9• Software glitch in November’s election– 19,000 registered voters– 144,000 votes tallied– actual number of votes cast was 5,352• MicroVote touchscreen machineshttp://www.indystar.com/articles/6/091021-1006-009.htmlVoter Verified Audit TrailIEEE SpectrumOct 2002Case Study: Diebold machineT. Kohno, A. Stubblefield, A. Rubin, D. Wallach3Basis for study Proprietary system• Certification mandated by election laws– Without public review: Security through obscurity Diebold system leaked• AccuVote-TS DRE voting system, Oct 2000 - April 2002• Available on open ftp server• Identified by activist Bev Harris• Some zip files, cvs repository– DMCA concern over zip “encryption”– Available on New Zealand site No access to Diebold’s back-end election management systemSome problems Encrypted votes and audit logs• 56-bit DES in CBC mode with static IVs • #define DESKEY ((des_key*)"F2654hD4")• Unkeyed public function (CRC) for integrity No authentication of smartcard to voting terminalInsufficient code reviewSample comment in code// LCG - Linear Conguential Generator// used to generate ballot serial numbers// A psuedo-random-sequence generator // (per Applied Cryptography, // by Bruce Schneier, Wiley, 1996)- BallotResults.cppDiebold Election SystemsUnfortunately, linear congruential generators cannot be used for cryptography”Page 369Applied Cryptography, by Bruce SchneierOther examples“this is a bit of a hack for now.”AudioPlayer.cpp“the BOOL beeped flag is a hack so we don't beep twice. This is really a result of the key handling being gorped.”WriteIn.cpp“the way we deal with audio here is a gross hack.”BallotSelDlg.cpp“need to work on exception *caused by audio*. I think they will currently result in double-fault.”BallotDlg.cppvoid CBallotRelSet::Open(const CDistrict* district, const CBaseunit* baseunit,const CVGroup* vgroup1, const CVGroup* vgroup2){ASSERT(m_pDB != NULL);ASSERT(m_pDB->IsOpen());ASSERT(GetSize() == 0);ASSERT(district != NULL);ASSERT(baseunit != NULL);if (district->KeyId() == -1) {Open(baseunit, vgroup1);} else {const CDistrictItem* pDistrictItem = m_pDB->Find(*district);if (pDistrictItem != NULL) {const CBaseunitKeyTable& baseunitTable = pDistrictItem->m_BaseunitKeyTable;int count = baseunitTable.GetSize();for (int i = 0; i < count; i++) {const CBaseunit& curBaseunit = baseunitTable.GetAt(i);if (baseunit->KeyId() == -1 || *baseunit == curBaseunit) {const CBallotRelationshipItem* pBalRelItem = NULL;while ((pBalRelItem = m_pDB->FindNextBalRel(curBaseunit, pBalRelItem))){if (!vgroup1 || vgroup1->KeyId() == -1 ||(*vgroup1 == pBalRelItem->m_VGroup1 && !vgroup2) ||(vgroup2 && *vgroup2 == pBalRelItem->m_VGroup2 &&*vgroup1 == pBalRelItem->m_VGroup1))Add(pBalRelItem);}}}m_CurIndex = 0;m_Open = TRUE;}}}Zero CommentsZero CommentsCode FragmentOther problemsBallot definition file on removable media unprotectedSmartcards use no cryptographyVotes kept in sequential orderSeveral glaring errors in cryptographyInadequate security engineering practicesDefault Security PINs of 1111 on administrator cardsWindows Operating System• tens of millions of lines of code• new “critical” security bug announced every week4Insider threat Easy to hide code in large software packages Virtually impossible to detect back doors Skill level needed to hide malicious code is much lower than needed to find it Anyone with access to


View Full Document

Stanford CS 155 - Electronic Voting

Documents in this Course
Lecture 5

Lecture 5

64 pages

Phishing

Phishing

31 pages

Load more
Download Electronic Voting
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Electronic Voting and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Electronic Voting 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?