The Design and Analysis of a System Architecture for E-Voting Thesis Proposal by Clifford McCullough as part of the requirements for the degree of Master of Engineering in Information Assurance University Of Colorado, Colorado Springs 1 Committee Members and Signatures: Approved by Date Advisor: Dr. Edward Chow Committee member: Dr. Xiaobo Zhou Committee member: Dr. Chuan Yue Clifford McCullough March 17, 2012 Page 1 of 6 2 Introduction Private elections for board of director offices or other business proxy votes have traditionally been conducted using paper, mail-in ballots. Electronic or online voting is becoming a popular alternative to paper ballots. Public elections are the cornerstone of democracy. US citizens overseas or military personnel deployed overseas currently may use a mail-in, absentee ballot system. Yet, any mail-in ballot system is perhaps the least secure. The vote can easily be sold because the voter possesses proof of how the ballot was cast. Personal identification of the voter is not required. Basically, only the signature identifies the voter. Public and private elections have different security requirements, though many requirements are common. Whether voting at a polling location or voting after logging in to an online voting website, the confidentiality and integrity of the vote must be maintained. Requirements for private elections are governed by the organization hosting the election. Requirements for public elections, in the United States, are governed by the individual states following federal guidelines (EAC 2010). In 2011, the US Elections Assistance Commission published a technical paper entitled A Survey of Internet Voting (EAC 2011). The security concerns regarding internet voting are succinctly listed (EAC 2011, p7). Given that no system can be 100% secure, what level of risk can be accepted for such a fundamental democratic process as voting? How can a sponsor considering Internet voting measure the level of risk associated with various methods and technologies? How can a sponsor create and implement standards for this technology and reliably test to those standards? It is clear from this technical paper that many countries are interested in e-voting, and that many companies are offering solutions to this interest. 3 Existing Solutions There are a variety of private and public e-voting applications available. (MotionVoter 2011) and (Vote-Now n.d.) offer a private election service. SourceForge includes a project which promises an open-source electronic voting system for download (Electronic Voting System 2009). Though when I checked, the project had no files available. The US Department of Defense’s Federal Voting Assistance Program (FVAP) proposed an Internet based voting system for the 2004 primary and general elections named Secure Electronic Registration and Voting Experiment (SERVE) (D. D. Jefferson, et al. 2004). The FVAP assembled a Security Peer Review Group (SPRG) to evaluate SERVE. Their report very strongly recommended against deploying SERVE and SERVE was withdrawn from use (Defense 2007, p 11). Clifford McCullough March 17, 2012 Page 2 of 6 The SPRG report lists many security concerns regarding electronic voting in general and Internet voting in particular. These areas of interest include: PC-centric application versus Server-centric application. Security of the intermediate network. Voter-verified audit trail. Control of the voting environment. Spoofing and man in the middle attacks. Denial of service attacks. The ultimate objective of SERVE is to enable voting from any PC from anywhere in the world (Defense 2007, p 11). I do not expect that to be accomplished anytime soon. But, I expect improvements toward that objective can be made. 4 Proposed Improvements Many e-voting architectures are proprietary and are not released to the public for general review. (Jefferson, Rubin and Simons 2007) I propose to design and discuss an architecture for an online voting system that will address the vulnerabilities of e-voting. I will design and construct a demonstration of the major elements of this system. Though I cannot, by myself, make the system be fully compliant with EAC requirements (EAC 2010). Figure 1 shows the tentative architecture for the demonstration network. Note that the Demoadmin network is required for ease of administering the network while it is being developed and would not be included in a real implementation. The eVote private network should be closed, i.e. not connected to any outside network. Ballots will be encrypted using Paillier encryption (Paillier 1999). Decryption will require a threshold public-key cryptosystem. Election judges can only decrypt the totals if a quorum of judges enter their secret share (Shamir November, 1979). Service principals will authenticate with each other using Kerberos. Thus, the system needs a Network Time Protocol (NTP) service and a Domain Name Service (DNS) (Ubuntu Community Documentation 2011). Service redundancy will not be included in the demonstration other than the two Tally servers. The demonstration network will include: 1. Voter logon. 2. Voter balloting. 3. Voter verifying that the ballot is correct. 4. Submission of the ballot to the two Tally servers. 5. The Tally servers will each tally the ballots. 6. The judges can interrogate the final vote tally. Clifford McCullough March 17, 2012 Page 3 of 6 Western Digital 1TB WD1TB Internet Service Provider Cliff’s World Outside World Broadband Modem Dell XPS 410 Windows Vista 1 Gbps Network Keebox 8 Port GB Switch Netgear FV318 - Firewall - DHCP Dell T310 ESXi Ignis Gb2 – Ignis2 Kerberos Realm Admin Key Distribution Center Ubuntu Server 11-10 Athos.evote 192.168.128.129/28 192.168.0.129/24 Gb1 – Ignis11 Demo Outside World DNS server NTP server Ubuntu Server 11-10 Dumas.evote 192.168.128.133/28 192.168.0.133/24 Tally 1 Server Ubuntu Server 11-10 Porthos.evote 192.168.128.130/28 192.168.0.130/24 Voting Server Windows Server 2008 dArtagnan.evote 192.168.128.132/28 192.168.0.132/24 eVote Private Network Tally 2 Server Ubuntu Server 11-10 Aramis.evote 192.168.128.131/28 192.168.0.131/24 Legend: Service(s) Operating System Fully Qualified Domain Name eVote addr admin addr Western Digital 2TB WD2TB Demo-admin Network Figure 1, Tentative Architecture 5 Thesis Plan & Schedule 1. Preliminary Investigation (August 1, 2011 – September 30, 2011) Identify and evaluate current election procedures. Identify e-voting application requirements. 2. Planning (October 1, 2011 – April 30, 2012) Research published solutions to e-voting services and requirements. Identify tentative e-voting architecture. Solidify thesis plan and schedule. 3. Research (February 1, 2012 - September 28, 2012) Build a demonstration of the major elements of the architecture. Collect data and evaluate the trade-offs made. Evaluate vulnerabilities and counter measures. 4. Thesis Generation and Delivery (September 17, 2012 –November 16, 2012) Write thesis paper. Present final data and obtain approval. Create all necessary defense documentation. Thesis defense. Clifford McCullough March 17, 2012 Page 4 of 6 6 Deliverables 1. An architecture for an e-voting system. 2. A discussion of the trade-offs considered in designing the architecture including benchmark data and performance comparisons. 3. A demonstration of the major elements of this e-voting system. 4. A discussion of the vulnerabilities and counter measures designed into the architecture. 7 References Defense, Department of. Expanding the Use of Electronic Voting Technology for UOCAVA Citizens. Department of Defense, 2007. DoD, FVAP. "Report on IVAS 2006." ACCURATE - A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections. 2006. http://accurate-voting.org/wpcontent/uploads/2006/12/ivas.pdf (accessed February 29, 2012). EAC. A Survey of Internet Voting. Testing and Certification Technical Paper #2, Washingson DC 20005: US Election Assistance Commission, Voting System Testing and Certification Division, 2011. —. Election Assistance Commission. 2010. http://www.eac.gov/ (accessed February 29, 2012). —. Voluntary Voting System Guidelines. 2010. http://www.eac.gov/testing_and_certification/voluntary_voting_system_guidelines.aspx (accessed March 7, 2012). Electronic Voting System. 2009. http://evotingsys.sourceforge.net/ (accessed March 6, 2012). Jefferson, David, Avi Rubin, and Barbara Simons. "The new report in response to the May 2007 DoD report on Voting Technologies for UOCAVA Citizens." June 13, 2007. http://www.servesecurityreport.org/ (accessed March 04, 2012). Jefferson, Dr. David, Dr. Aviel D. Rubin, Dr. Barbara Simons, and Dr. David Wagner. "A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)." 2004. MotionVoter. 2011. http://www.motionvoter.com/ (accessed March 6, 2012). Paillier, Pascal. "Public-Key Cryptosystems Based on Composite Degree Residuosity Clases." Advances in Cryptology - Eurocrypt '99, 1999: 223-238. Press, Associated. "Pentagon cancels Internet voting test." MSNBC. 5 17, 2004. (accessed November 03, 2011). Shamir, Adi. "How to Share a Secret." Communications of the ACM (Massachusetts Institute of Technology), November, 1979: 612-613. Clifford McCullough March 17, 2012 Page 5 of 6 Ubuntu Community Documentation. "Kerberos." Ubuntu Community Documentation. October 12, 2011. https://help.ubuntu.com/community/Kerberos (accessed March 6, 2012). Vote-Now. https://secure.vote-now.com/ (accessed March 6, 2012). Clifford McCullough March 17, 2012 Page 6 of 6