The Design and Analysis of a System Architecture
for E-Voting
Thesis Proposal
by
Clifford McCullough
as part of the requirements for the degree of
Master of Engineering in Information Assurance
University Of Colorado, Colorado Springs
1 Committee Members and Signatures:
Approved by
Date
Advisor: Dr. Edward Chow
Committee member: Dr. Xiaobo Zhou
Committee member: Dr. Chuan Yue
Clifford McCullough
March 17, 2012
Page 1 of 6
2 Introduction
Private elections for board of director offices or other business proxy votes have traditionally
been conducted using paper, mail-in ballots. Electronic or online voting is becoming a popular
alternative to paper ballots.
Public elections are the cornerstone of democracy. US citizens overseas or military personnel
deployed overseas currently may use a mail-in, absentee ballot system. Yet, any mail-in ballot
system is perhaps the least secure.
 The vote can easily be sold because the voter possesses proof of how the ballot was cast.
 Personal identification of the voter is not required. Basically, only the signature
identifies the voter.
Public and private elections have different security requirements, though many requirements are
common. Whether voting at a polling location or voting after logging in to an online voting
website, the confidentiality and integrity of the vote must be maintained. Requirements for
private elections are governed by the organization hosting the election. Requirements for public
elections, in the United States, are governed by the individual states following federal guidelines
(EAC 2010).
In 2011, the US Elections Assistance Commission published a technical paper entitled A Survey
of Internet Voting (EAC 2011). The security concerns regarding internet voting are succinctly
listed (EAC 2011, p7).
 Given that no system can be 100% secure, what level of risk can be accepted for such a
fundamental democratic process as voting?
 How can a sponsor considering Internet voting measure the level of risk associated with
various methods and technologies?
 How can a sponsor create and implement standards for this technology and reliably test to
those standards?
It is clear from this technical paper that many countries are interested in e-voting, and that many
companies are offering solutions to this interest.
3 Existing Solutions
There are a variety of private and public e-voting applications available. (MotionVoter 2011)
and (Vote-Now n.d.) offer a private election service. SourceForge includes a project which
promises an open-source electronic voting system for download (Electronic Voting System
2009). Though when I checked, the project had no files available.
The US Department of Defense’s Federal Voting Assistance Program (FVAP) proposed an
Internet based voting system for the 2004 primary and general elections named Secure Electronic
Registration and Voting Experiment (SERVE) (D. D. Jefferson, et al. 2004). The FVAP
assembled a Security Peer Review Group (SPRG) to evaluate SERVE. Their report very
strongly recommended against deploying SERVE and SERVE was withdrawn from use
(Defense 2007, p 11).
Clifford McCullough
March 17, 2012
Page 2 of 6
The SPRG report lists many security concerns regarding electronic voting in general and Internet
voting in particular. These areas of interest include:
 PC-centric application versus Server-centric application.
 Security of the intermediate network.
 Voter-verified audit trail.
 Control of the voting environment.
 Spoofing and man in the middle attacks.
 Denial of service attacks.
The ultimate objective of SERVE is to enable voting from any PC from anywhere in the world
(Defense 2007, p 11). I do not expect that to be accomplished anytime soon. But, I expect
improvements toward that objective can be made.
4 Proposed Improvements
Many e-voting architectures are proprietary and are not released to the public for general review.
(Jefferson, Rubin and Simons 2007) I propose to design and discuss an architecture for an online voting system that will address the vulnerabilities of e-voting. I will design and construct a
demonstration of the major elements of this system. Though I cannot, by myself, make the
system be fully compliant with EAC requirements (EAC 2010).
Figure 1 shows the tentative architecture for the demonstration network. Note that the Demoadmin network is required for ease of administering the network while it is being developed and
would not be included in a real implementation. The eVote private network should be closed,
i.e. not connected to any outside network.
Ballots will be encrypted using Paillier encryption (Paillier 1999). Decryption will require a
threshold public-key cryptosystem. Election judges can only decrypt the totals if a quorum of
judges enter their secret share (Shamir November, 1979).
Service principals will authenticate with each other using Kerberos. Thus, the system needs a
Network Time Protocol (NTP) service and a Domain Name Service (DNS) (Ubuntu Community
Documentation 2011). Service redundancy will not be included in the demonstration other than
the two Tally servers.
The demonstration network will include:
1. Voter logon.
2. Voter balloting.
3. Voter verifying that the ballot is correct.
4. Submission of the ballot to the two Tally servers.
5. The Tally servers will each tally the ballots.
6. The judges can interrogate the final vote tally.
Clifford McCullough
March 17, 2012
Page 3 of 6
Western Digital
1TB
WD1TB
Internet
Service
Provider
Cliff’s
World
Outside
World
Broadband
Modem
Dell XPS 410
Windows Vista
1 Gbps
Network
Keebox
8 Port GB Switch
Netgear FV318
- Firewall
- DHCP
Dell T310
ESXi
Ignis
Gb2 – Ignis2
Kerberos Realm Admin
Key Distribution Center
Ubuntu Server 11-10
Athos.evote
192.168.128.129/28
192.168.0.129/24
Gb1 – Ignis11
Demo
Outside World
DNS server
NTP server
Ubuntu Server 11-10
Dumas.evote
192.168.128.133/28
192.168.0.133/24
Tally 1 Server
Ubuntu Server 11-10
Porthos.evote
192.168.128.130/28
192.168.0.130/24
Voting Server
Windows Server 2008
dArtagnan.evote
192.168.128.132/28
192.168.0.132/24
eVote Private
Network
Tally 2 Server
Ubuntu Server 11-10
Aramis.evote
192.168.128.131/28
192.168.0.131/24
Legend:
Service(s)
Operating System
Fully Qualified Domain Name
eVote addr
admin addr
Western Digital
2TB
WD2TB
Demo-admin
Network
Figure 1, Tentative Architecture
5 Thesis Plan & Schedule
1. Preliminary Investigation (August 1, 2011 – September 30, 2011)
 Identify and evaluate current election procedures.
 Identify e-voting application requirements.
2. Planning (October 1, 2011 – April 30, 2012)
 Research published solutions to e-voting services and requirements.
 Identify tentative e-voting architecture.
 Solidify thesis plan and schedule.
3. Research (February 1, 2012 - September 28, 2012)
 Build a demonstration of the major elements of the architecture.
 Collect data and evaluate the trade-offs made.
 Evaluate vulnerabilities and counter measures.
4. Thesis Generation and Delivery (September 17, 2012 –November 16, 2012)
 Write thesis paper.
 Present final data and obtain approval.
 Create all necessary defense documentation.
 Thesis defense.
Clifford McCullough
March 17, 2012
Page 4 of 6
6 Deliverables
1. An architecture for an e-voting system.
2. A discussion of the trade-offs considered in designing the architecture including
benchmark data and performance comparisons.
3. A demonstration of the major elements of this e-voting system.
4. A discussion of the vulnerabilities and counter measures designed into the architecture.
7 References
Defense, Department of. Expanding the Use of Electronic Voting Technology for UOCAVA
Citizens. Department of Defense, 2007.
DoD, FVAP. "Report on IVAS 2006." ACCURATE - A Center for Correct, Usable, Reliable,
Auditable, and Transparent Elections. 2006. http://accurate-voting.org/wpcontent/uploads/2006/12/ivas.pdf (accessed February 29, 2012).
EAC. A Survey of Internet Voting. Testing and Certification Technical Paper #2, Washingson DC
20005: US Election Assistance Commission, Voting System Testing and Certification Division,
2011.
—. Election Assistance Commission. 2010. http://www.eac.gov/ (accessed February 29, 2012).
—. Voluntary Voting System Guidelines. 2010.
http://www.eac.gov/testing_and_certification/voluntary_voting_system_guidelines.aspx
(accessed March 7, 2012).
Electronic Voting System. 2009. http://evotingsys.sourceforge.net/ (accessed March 6, 2012).
Jefferson, David, Avi Rubin, and Barbara Simons. "The new report in response to the May 2007
DoD report on Voting Technologies for UOCAVA Citizens." June 13, 2007.
http://www.servesecurityreport.org/ (accessed March 04, 2012).
Jefferson, Dr. David, Dr. Aviel D. Rubin, Dr. Barbara Simons, and Dr. David Wagner. "A
Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)." 2004.
MotionVoter. 2011. http://www.motionvoter.com/ (accessed March 6, 2012).
Paillier, Pascal. "Public-Key Cryptosystems Based on Composite Degree Residuosity Clases."
Advances in Cryptology - Eurocrypt '99, 1999: 223-238.
Press, Associated. "Pentagon cancels Internet voting test." MSNBC. 5 17, 2004. (accessed
November 03, 2011).
Shamir, Adi. "How to Share a Secret." Communications of the ACM (Massachusetts Institute of
Technology), November, 1979: 612-613.
Clifford McCullough
March 17, 2012
Page 5 of 6
Ubuntu Community Documentation. "Kerberos." Ubuntu Community Documentation. October
12, 2011. https://help.ubuntu.com/community/Kerberos (accessed March 6, 2012).
Vote-Now. https://secure.vote-now.com/ (accessed March 6, 2012).
Clifford McCullough
March 17, 2012
Page 6 of 6