Nathanael Paul
CRyptography
Applications Bistro
February 3, 2004
Electronic Voting
•
•
•
•
•
Convenient
Supposed to increase voter turnout
Quicker counts
Handicapped/disabled
“I wonder where the votes go once you
touch the screen and if it's possible to
mess with the vote.”
Carol Jacobson, Berkeley, CA
Threats
•
•
•
•
•
•
Vote Coercion
Vote Selling
Vote Solicitation
Online Registration
Voter Privacy
Could have a scrawny teenage script
kiddy but now a foreign government
Rubin’s “Security Considerations for
Remote Electronic Voting over the
Internet”
• Hosts are assumed to be Windows using
IE/Netscape
• Internet connection using TCP/IP
• Attack the endpoints (user, servers) or
communications
Attacking the host
• Malicious payloads
– Proxy settings
• Javascript or Java applets
– http://www.securityfocus.com/bid/4228/discussion/
– BackOrifice
• PCAnywhere, open source
– Chernobyl virus
• Activate on certain day
• Modified bios
Get the code on their machine
• MyDoom
• instant messenger, file sharing
– Windows Media Player (Java vulnerability)
• AOL
• Microsoft Office code
DoS/DDoS attacks
• Attack servers
– Public key encryption
– Regular expression attacks
• Ping of death
• DoS attacks on individual applications
– Java (exploit system code)
Social Engineering
• SSL
– Average user checking a certificate
– Even if it’s bad, will some just proceed
anyways?
• Spoofing
– Web site
– Poisoning DNS cache
What is needed?
• Trusted path between user and election
server
– Malicious code should not have a way to
interfere with normal operation.
• Allow citizens outside of the country to
vote in an easy manner
• Should be at least as secure as current
absentee voting ballot designs
• SSL connection to a central server
• Local Election Official (LEO) precinct
computer downloads registration/ballots
from central server
SERVE design
Ballots
Server
Voter
LEO precinct
computer
Some Security Considerations
• Attack central server, LEO server, host machine,
communications (DNS)
• Privacy
– LEO’s can view entire precinct’s votes
– Central server could view everyone’s votes
• Windows only
• ActiveX and Java used for central server and
user
– 75 flaws in Java from 1999-2003 according to CVE
(not all are actual entries)
DoS/DDoS in SERVE
• Central server provides a single point of
attack
• LEO
• Election spans longer period of time
(month)
• DDoS excess of 150 Gbps
– E-commerce sites with 10 Gbps link
Measuring it all up
• Vote Coercion
– Impossible to detect
• Vote Selling
– Buyers outside of US?
• Vote Solicitation
– AOL and Pop-ups will go crazy
• Online Registration
– Man-in-the-middle
• Voter Privacy
– Not possible with this scheme
Proposed Alternatives
• Remote ballot printer recommended with
the voter mailing in the printed ballot
• Chaum’s SureVote scheme with voterverifiable receipts using Visual
Cryptography
• VoteHere (covered by Richard) with a
threshold cryptography scheme
Additional Reading
• IEEE Security & Privacy, Jan/Feb 2004
special issue on E-voting
• SureVote, VoteHere DRE schemes
• David Dill’s http://www.verifiedvoting.org
“The fact that 50 votes were cast in Florida using
VOI, and that a change of 269 votes in the official
tally of that state would have resulted in Al Gore
becoming President.”
SERVE report, Jan. 21, 2004