CS 194 1 CS 161 Computer Security Lecture 24 Elections Computer Security and Electronic Voting November 29 2006 Prof Anthony D Joseph http cs161 org Slides courtesy of Prof David Wagner 1 2 3 4 Security Goals for an Election Integrity No election fraud Transparency Everyone must be able to verify that the election was conducted appropriately Privacy No one learns how the voter has voted Secret ballot Voter cannot prove how she voted 5 6 1 Breakthrough the Australian secret ballot Ballot printed by govt Ballot boxes monitored by observers Ballots counted by hand in public Competing interests keep each other honest 7 8 9 10 11 12 2 13 14 15 16 17 18 3 Question How do election security goals apply to touchscreen DRE electronic voting machines Nov 4 2002 State of Georgia votes on Diebold DREs 1 Machine must allow each authorized voter to vote exactly once must prevent tampering with votes after they are cast March 18 2003 Diebold source code leaks 2 Machine should be verifiably trustworthy July 23 2003 Tadayoshi Kohno Adam Stubblefield Avi Rubin Dan Wallach Analysis of an Electronic Voting System 3 Machine must randomize the order in which votes were cast 4 Machine must not give voter a receipt C Security Goals for an Election Integrity Transparency Privacy Secret ballot 19 The voter authorization protocol 2 0 The voter authorization protocol QueryStatus QueryStatus Are you a valid card ACTIVE 0x01 ACTIVE 0x01 Yup record vote smartcard smartcard record vote Please cancel yourself SetStatus CANCELED 0x08 SetStatus CANCELED 0x08 Status CANCELED Succeeded Succeeded Ok Status CANCELED 21 Attack 2 2 Authenticating election officials QueryStatus ACTIVE 0x01 What kind of card are you record vote An administrator card smartcard SetStatus CANCELED 0x08 Succeeded What s the secret PIN malicious smartcard 2301 What s the secret PIN QueryStatus 2301 ACTIVE 0x01 Ok you have admin access record another vote SetStatus CANCELED 0x08 Succeeded 2 3 2 4 4 Source code excerpts Source code excerpts define DESKEY des key F2654hD4 DESCBCEncrypt des c block tmp des c block record m Data totalSize DESKEY NULL DES ENCRYPT LCG Linear Congruential Generator used to generate ballot serial numbers A psuedo random sequence generator per Applied Cryptography Bruce Schneier int lcgGenerator int lastSN return lastSN 1366 150889 714025 Unfortunately linear congruential generators cannot be used for cryptography Applied Cryptography p 369 2 5 2 6 Reactions from voters 2 7 2 8 Movie 2 9 3 0 5 Trojan Horses and the Insider Threat Attempted Trojan Horse in Linux Kernel schedule goto repeat if options WCLONE WALL current uid 0 retval EINVAL retval ECHILD end wait4 current state TASK RUNNING Ronald Dale Harris Employee Gaming Control Board 1983 1995 Arrested Jan 15 1995 Convicted Sept 23 1997 for rigging slot machines 31 3 2 3 3 3 4 3 5 3 6 Trojan Horses and Voting Machines Malicious logic hidden by an insider might e g record votes incorrectly to favor one candidate Extremely difficult to prevent or detect Potential solutions Verify that the software is free of Trojans beyond the state of the art Verify that output of the sw is correct Voter verified paper audit trail 1 audits Optical scan paper ballots Ballot marking devices paper ballots 6 Statistical audit After election randomly choose 1 of machines and manually recount the paper records on those machines If paper count electronic count there was fraud If 100 machines cheat detection is likely Consequently If paper count electronic count then no more than 100 machines cheated Prover Elec Official The tallies are t 1 tn Show me the paper for machine i voter verified paper audit trail Verifier skeptical voter 3 7 3 8 3 9 4 0 41 4 2 7 Conclusions E voting security is hard because computers aren t transparent All known solutions use paper Secure paperless voting is an open research problem Computer science is deeply relevant to democracy Technical principles Two person control separation of duties Statistical audit Security against malicious insiders 4 3 4 4 4 5 8
View Full Document
Unlocking...