nathanael paul cryptography applications bistro february 3, 2004
TRANSCRIPT
Nathanael Paul
CRyptography Applications BistroFebruary 3, 2004
Electronic Voting
• Convenient
• Supposed to increase voter turnout
• Quicker counts
• Handicapped/disabled
• “I wonder where the votes go once you touch the screen and if it's possible to mess with the vote.”
Carol Jacobson, Berkeley, CA
Threats• Vote Coercion
• Vote Selling
• Vote Solicitation
• Online Registration
• Voter Privacy
• Could have a scrawny teenage script kiddy but now a foreign government
Rubin’s “Security Considerations for Remote Electronic Voting over the
Internet”• Hosts are assumed to be Windows using
IE/Netscape
• Internet connection using TCP/IP
• Attack the endpoints (user, servers) or communications
Attacking the host
• Malicious payloads– Proxy settings
• Javascript or Java applets– http://www.securityfocus.com/bid/4228/discussion/
– BackOrifice• PCAnywhere, open source
– Chernobyl virus• Activate on certain day• Modified bios
Get the code on their machine
• MyDoom
• instant messenger, file sharing– Windows Media Player (Java vulnerability)
• AOL
• Microsoft Office code
DoS/DDoS attacks
• Attack servers– Public key encryption– Regular expression attacks
• Ping of death
• DoS attacks on individual applications– Java (exploit system code)
Social Engineering
• SSL– Average user checking a certificate– Even if it’s bad, will some just proceed
anyways?
• Spoofing– Web site– Poisoning DNS cache
What is needed?
• Trusted path between user and election server– Malicious code should not have a way to
interfere with normal operation.
• Allow citizens outside of the country to vote in an easy manner
• Should be at least as secure as current absentee voting ballot designs
• SSL connection to a central server
• Local Election Official (LEO) precinct computer downloads registration/ballots from central server
SERVE design
Server
Voter
<nam
e, E kv
(bal
lot)>
LEO precinct computer
Ballots
<GET BALLOTS>
<EkLEO (BALLOTS)>
Some Security Considerations
• Attack central server, LEO server, host machine, communications (DNS)
• Privacy– LEO’s can view entire precinct’s votes– Central server could view everyone’s votes
• Windows only• ActiveX and Java used for central server and
user– 75 flaws in Java from 1999-2003 according to CVE
(not all are actual entries)
DoS/DDoS in SERVE
• Central server provides a single point of attack
• LEO
• Election spans longer period of time (month)
• DDoS excess of 150 Gbps– E-commerce sites with 10 Gbps link
Measuring it all up• Vote Coercion
– Impossible to detect
• Vote Selling– Buyers outside of US?
• Vote Solicitation– AOL and Pop-ups will go crazy
• Online Registration– Man-in-the-middle
• Voter Privacy– Not possible with this scheme
Proposed Alternatives
• Remote ballot printer recommended with the voter mailing in the printed ballot
• Chaum’s SureVote scheme with voter-verifiable receipts using Visual Cryptography
• VoteHere (covered by Richard) with a threshold cryptography scheme
Additional Reading
• IEEE Security & Privacy, Jan/Feb 2004 special issue on E-voting
• SureVote, VoteHere DRE schemes
• David Dill’s http://www.verifiedvoting.org
“The fact that 50 votes were cast in Florida using VOI, and that a change of 269 votes in the official tally of that state would have resulted in Al Gore becoming President.”
SERVE report, Jan. 21, 2004