Providing Trusted Paths Using
Untrusted Components
Andre L. M. dos Santos
Georgia Institute of Technology
andre@cc.gatech.edu
Electronic Voting
• Assumptions:
– There is a framework for electronic voting
• All the crypto is embedded in the framework.
– Smart cards, USB tokens, or any other
portable tamper resistant device adds security
to electronic voting.
• Problem:
– Would a tamper proof smart card solve all
problems of electronic voting?
Do You Know to Whom are you
Voting ?
What is the problem?
I vote
for John
Hommer’s
Vote is for
Bob
• The devices that are used for direct I/O
with a human needs to be tamper proof.
– So, not only the card needs to be tamper
proof ….
• Or NOT ????
Hard AI Problems
• Informally, something that humans can do easily
but computers can't.
• CAPTCHA -- Completely Automated Turing Test
to Tell Computers and Humans Apart
• Generate random message, transform it, ask
human to repeat it
• Transformation problem:
– Subset of hard AI problems that transform a message
– Example: distort text of message so that only humans
can read it
KHAP: Keyed Hard AI Problems
• A transformation problem that includes a shared secret
key
• Instances generated with different keys are
distinguishable
• Computers can't steal keys from messages
• Formalisms (t=T(m,k) is (α, β, γ, δ, ε, ζ)-keyed transformation)
– the probability that a human can extract m from t is at least α
– the probability that a human with knowledge of k can correctly verify
whether k was used to create t is at least β
– there does not exist a computer program that runs in time ζ such that
the probability of the program extracting m from t is greater than γ
– there does not exist a computer program that runs in time ζ such that
the probability of the program extracting k from t is greater than δ
– let A be a computer program that modifies t to include m’ ≠ m; there
does not exist an A that runs in time ζ such that the probability of a
human failing to detect the modification is greater than ε
Protocol
3-D Keyed Transformation
• Render text and objects in a 3-D scene to 2-D image
(raytrace)
• Randomize parameters (lighting, position, rotation, size,
colors)
• Human can read text from 2-D image
• Key is appearance of objects
• Human looks for particular objects in scene
• Scene is hard to modify in a meaningful way (shadows,
reflections, finding objects)
• Provide authenticity (presence of keys) and integrity
(modifications can be detected by human)
E-Voting using 3-D Images
E-Voting using 3-D Images
Considerations
• How does a human confirm a message?
– Disconnect, or not, trusted platform
• When should you connect your platform?
– Confirmation word
• How does a low computing power device
performs the transformation?
– Can use (semi) trusted servers connected using an
anonymizing network
– Needs to worry about covert channels
• What is the best transformation?
– Others examples are speech and text.
Considerations
• Replays and Human Professors
– Time stamps
– Aging
– Spatial relationships
• Easy to guess keys
– Cute puppy dog!
– May be easier to avoid
Conclusions
• This is a general approach for interacting
with trusted computers
• Many features of electronic voting systems
help the use of this approach
• Easy to use
– Avoid computation, memory aids: ask humans
to do what they do best
– Some problems are intuitive (e.g., recognizing
voice)