Add to collection(s) Add to saved
  1. No category

Kleptographic Attacks on E-Voting Schemes Marcin Gogolewski , Marek Klonowski

advertisement 
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Kleptographic Attacks on E-Voting
Schemes
Marcin Gogolewski1 , Marek Klonowski2 , Przemek Kubiak2
Mirek Kutyłow ski2 , Anna Lauks2 , Filip Zagórski2
1
2
Faculty of Mathematics and Computer Science,
Adam Mickiewicz University
Institute of Mathematics and Computer Science,
Wrocław University of Technology
Workshop on Electronic Voting and e-Government in the UK,
27–28 February 2006
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Attacked systems
In the paper we present attacks on
1. “A practical voting scheme with receipts”, our scheme (from
ISC’2005)
2. David Chaum’s Visual Voting Scheme,
3. Neff’s Scheme,
4. Prêt à Voter, by Chaum, P. Ryan, and Schneider (from
ESORICS 2005).
Not in the paper, but possible:
1. the system presented by Mark Ryan yesterday
2. the system presented by Peter Ryan yesterday (probably)
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Outline
Why details are important
Kleptography
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Kleptographic attacks on Neff’s scheme
The ballot
The attacks
Countermeasure
Verifiable randomness
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Demands
I
...forget complicated systems!...
I
... neither politicians nor most of the voters will understand
you and accept the solution...
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Lessons from the past
Case example - remote controls for unlocking a car:
I
initial solution - a 32-bit key (fixed for a car) transmitted in
cleartext,
I
... forget complicated systems - cryptography or other
academic stuff... . We design practical systems!
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Lessons from the past
Case example - remote controls for unlocking a car:
I
initial solution - a 32-bit key (fixed for a car) transmitted in
cleartext,
I
... forget complicated systems - cryptography or other
academic stuff... . We design practical systems!
I
but stealing cars increased rapidly
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
A patch
I
a 32-bit cryptography is weak so let’s upgrade it to 64-bit keys,
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
A patch
I
a 32-bit cryptography is weak so let’s upgrade it to 64-bit keys,
I
but stealing cars as easy as before
- a stupid countermeasure
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
A patch
I
a 32-bit cryptography is weak so let’s upgrade it to 64-bit keys,
I
but stealing cars as easy as before
- a stupid countermeasure
I
now for unlocking a car a fairly complicated cryptographic
protocol is used
I
the car owners do not even care to understand it ...
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Is an application/device a trusted party?
Ross Anderson’s example
I
if an operating system contains 100.000 security flaws,
1.000 security specialists analyze source code and detect
and patch 5.000 flaws per month
I
and a single computer terrorists may detect 3 flaws per year
I
then with probability only 0.216 all 3 flaws will be detected
by the security team
Do you really think that you can check the process of
creating software or hardware?
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Outline
Why details are important
Kleptography
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Kleptographic attacks on Neff’s scheme
The ballot
The attacks
Countermeasure
Verifiable randomness
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Necessity of randomness in e-voting
I
The number n of candidates is small (< 216 ).
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Necessity of randomness in e-voting
I
The number n of candidates is small (< 216 ).
I
Basic property:
without decryption keys of tallying authorities candidate’s
name cannot be derived from a ballot.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Necessity of randomness in e-voting
I
The number n of candidates is small (< 216 ).
I
Basic property:
without decryption keys of tallying authorities candidate’s
name cannot be derived from a ballot.
I
Therefore voters’ choices must be masked by
(pseudo)random values.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Dangers of randomness
It is known that freedom of parameters valuation makes room
for a subliminal channel, through which may leak:
I
voters’ choices,
I
signing keys of voting machines,
I
...
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Leaking voter’s choice
Leaking information about voters’ choices allows:
I
buying votes,
I
coercion,
I
knowledge of partial results (e.g. from discarded receipts),
if the results are unfavourable a DoS attack might be
mounted.
I
...
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Leaking keys of voting machines
A leakage of VM’s keys allows
I
leaking voters’ choices (in some schemes),
I
creating fake ballots
(and claiming that election fraud),
I
changing election results by replacing the votes cast (in
some cases)
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Kleptography I
I
designed by Yung and Young ten years ago,
I
perhaps the most important threat for security of high end
systems
I
implementation of “Big Brother” with only one TV receiver
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Kleptography II
Kleptography makes the subliminal channel very selective:
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Kleptography II
Kleptography makes the subliminal channel very selective:
I
the channel is protected (encrypted) by
a public key of a malicious Mallet,
I
reading data from kleptographic channel with a secret key
only,
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Kleptography III
I
non-invasive testing cannot detect klepto-code,
I
reverse engineering of a device/software
“compromises” only the public key, the private key is not
there!
I
how many tamper resistant cards you will check?
I
the producer can always claim that this was not an original
device
A perfect technology for Dr No from James Bond stories!
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
Outline
Why details are important
Kleptography
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Kleptographic attacks on Neff’s scheme
The ballot
The attacks
Countermeasure
Verifiable randomness
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The ballot in Neff’s scheme
The ballot is a matrix of BMPs (Ballot Mark Pairs)
BMP1,1
BMP2,1
BMP1,2
BMP2,2
...
...
BMPi ,1
BMPi ,2
...
...
BMPn,1
BMPn,2
...
...
...
...
...
...
BMP1,`
BMP2,`
...
BMPi ,`
...
BMPn,`
where:
n is the number of candidates,
` is a security parameter, ` ∈ {10, 11, . . . , 15}.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The ballot in Neff’s scheme
Each BMPj ,k is a pair (bj ,k ,L , bj ,k ,R ) of ElGamal ciphertexts:
bj ,k ,α = (g ωj ,k ,α , mj ,k ,α · y ωj ,k ,α )
for α ∈ {L, R }, where:
I
I
(g , y ) is a public key for mixes,
mj ,k ,α ∈ {Y , N }, and Y , N are fixed elements:
one of them is neutral element (“1”),
I
ωj ,k ,α are supposed to be random values.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
The ballot in Neff’s scheme
Suppose that voter Alice has chosen a candidate Ci , then
I
I
each BMPi ,k in the ith row
BMP1,1
BMP2,1
BMP1,2
BMP2,2
...
...
BMPi ,1
BMPi ,2
...
...
...
...
...
...
...
...
BMP1,`
BMP2,`
...
BMPi ,`
...
BMPn,1 BMPn,2
BMPn,`
contains (Y , Y ) if a random xi ,k = 1,
and (N , N ) if xi ,k = 0,
each BMPj ,k in the jth row j 6= i contains
(Y , N ) if xj ,k = 1,
and (N , Y ) otherwise.
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The attack on random exponents
Let (g , yM ) is Mallet’s ElGamal public key (yM = g xM ).
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The attack on random exponents
Let (g , yM ) is Mallet’s ElGamal public key (yM = g xM ).
I
During the voting procedure in each BMPj ,k one of the
exponents ωj ,k ,L , ωj ,k ,R will be revealed according to voter’s
choice cj ,k ∈ {0, 1}.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The attack on random exponents
Let (g , yM ) is Mallet’s ElGamal public key (yM = g xM ).
I
During the voting procedure in each BMPj ,k one of the
exponents ωj ,k ,L , ωj ,k ,R will be revealed according to voter’s
choice cj ,k ∈ {0, 1}.
I
Let
ωn,`,L
Kα∗ = hα (yM
ω
, yM n,`,R )
for good hash functions hα , α = L, R.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The attack on random exponents
Let (g , yM ) is Mallet’s ElGamal public key (yM = g xM ).
I
During the voting procedure in each BMPj ,k one of the
exponents ωj ,k ,L , ωj ,k ,R will be revealed according to voter’s
choice cj ,k ∈ {0, 1}.
I
Let
ωn,`,L
Kα∗ = hα (yM
ω
, yM n,`,R )
for good hash functions hα , α = L, R.
I
Only the VM and Mallet can calculate keys Kα∗
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The attack on random exponents
ωn,`,L
Kα∗ = hα (yM
ω
, yM n,`,R )
Indeed:
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The attack on random exponents
ωn,`,L
Kα∗ = hα (yM
ω
, yM n,`,R )
Indeed:
I
The VM knows Mallet public key yM and the exponents
used,
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The attack on random exponents
ωn,`,L
Kα∗ = hα (yM
ω
, yM n,`,R )
Indeed:
I
The VM knows Mallet public key yM and the exponents
used,
I
Mallet can rise first components g ωn,`,L , g ωn,`,R
of the ciphertexts in the pair BMPn,` to power xM , and get
y ωn,`,L , y ωn,`,R
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The attack on random exponents
ωn,`,L
Kα∗ = hα (yM
ω
, yM n,`,R )
Indeed:
I
The VM knows Mallet public key yM and the exponents
used,
I
Mallet can rise first components g ωn,`,L , g ωn,`,R
of the ciphertexts in the pair BMPn,` to power xM , and get
y ωn,`,L , y ωn,`,R
I
only one (not both) of the ωn,`,L , ωn,`,R will be revealed.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
The attack on random exponents - encoding
messages
Consequently, each other pair of exponents ωj ,k ,L , ωj ,k ,L might
carry a ciphertext:
ωj ,k ,α = EKα∗ (mj∗,k ),
where E is a symmetric encryption scheme, and mj∗,k a
message to be hidden in the BMPj ,k .
So, a single ballot may carry n · ` − 1 messages to Mallet.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
The ballot
The attacks
Other attacks on Neff’s scheme
Other our attacks exploit:
I
(supposed to be) random bits xj ,k , which decide on (Y , N ),
I
if a random BSN (Ballot Sequence Number) is assigned to
each ballot (as stated in VoteHere), then also the BSNs
may carry a kleptographic message,
I
the order of precomputed g ωj ,k ,α might point out one of 2n`
messages, which might be kleptographically hidden by a
permutation
n
`
π = H (∏ ∏
∏
y ωj ,k ,α ),
j =1 k =1 α∈{L,R }
where H is a good hash function.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Verifiable randomness
Outline
Why details are important
Kleptography
Necessity of randomness in e-voting
Dangers of randomness
Kleptography features
Kleptographic attacks on Neff’s scheme
The ballot
The attacks
Countermeasure
Verifiable randomness
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Verifiable randomness
The countermeasure: make things verifiable
I
avoid unnecessary randomness
(e.g. a ballot output batch always put in lexicographic
order).
I
Produce random values from signatures (in Chaum’s
manner):
r = R (sig(q )),
where:
I
I
I
I
R is a strong pseudorandom number generator,
sig is a deterministic signature scheme,
q is a number present on the ballot (e.g. q = BSN).
Make future parameters (like BSN)
dependent on current choices – use linear linking.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Verifiable randomness
The countermeasure: two devices principle
I
kleptography may break down (as far as we know now), if
two independent devices are applied
say one from USA (CIA) and one from Germany (BND)
I
re-designing the protocols?
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Verifiable randomness
Conclusion
A critical requirement for e-voting systems:
... the offer must contain an evidence that the system
proposed is immune against kleptographic attacks...
Otherwise, the system would violate the legal requirements.
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Why details are important
Kleptography
Kleptographic attacks on Neff’s scheme
Countermeasure
Verifiable randomness
Thanks for your attention
(and please do not forget the conclusion)
Gogolewski et al.
Kleptographic Attacks on E-Voting Schemes
Related documents
– Security JDiBrief Scenario based risk assessment for critical infrastructures:
– Security JDiBrief Scenario based risk assessment for critical infrastructures:
Network Security
Network Security
Cryptography and Network Security Chapter 1
Cryptography and Network Security Chapter 1
Revenge-Seeking Behaviors
Revenge-Seeking Behaviors
Download PDF - Echo Photo Agency
Download PDF - Echo Photo Agency
sequence authentication
sequence authentication
Download
advertisement