230 likes | 413 Views
Security Issues Facing Online Voting Systems. Joe Hernandez MEIA CS-6910 Dr. Chow. Overview. Security of Remote Online Voting [1] Two Case Studies Troubles faced by each election Cryptographic Foundations Blind Ballot using Public Key Cryptography (PKC) Voting Protocol using PKC
E N D
Security Issues Facing Online Voting Systems Joe Hernandez MEIA CS-6910 Dr. Chow
Overview Security of Remote Online Voting [1] Two Case Studies Troubles faced by each election Cryptographic Foundations Blind Ballot using Public Key Cryptography (PKC) Voting Protocol using PKC Blind Ballot using Public Key Infrastructure (PKI) Modified Voting Protocol using PKI Technology Risks Facing Online Voting Election Risk & Security Suggested security measures for online voting
Paper Review The Security of Remote Online Voting [1] Paper Discusses two cases of Internet Voting Arizona Democratic Party Election in 2000 Student Council Elections @ University of Virginia The internet will solve typical voting problems Eliminate “Hanging Chad” Speed up counting process Eliminate lengthy recounts Increase voter turnout Guarantee the intent of the voter (simplify voting)
Case Studies 2000 Arizona Democratic Primary First major use of internet voting A legally binding political election Considered a “Private” election Not subject to voting standards Contracted out to election.com Vendor claimed success (financial motivation) Many things went wrong!!
What went wrong? Failed to head warnings from Tech Experts Voters forgot, lost, received wrong PIN #’s Violated “Secret Ballot” by assigning PINs Minority access to internet/computers Computer/Browser compatibility issues Site down for an hour on election day No customer service / limited help desk support Multiple lawsuits filed Violated 1965 Voting Rights Act Belief security was “Airtight” Used proprietary encryption algorithm
Case Study University of Virginia Student Council Elections Small, simple, successful Paper ballots not effective Ease of Internet access among campus population Minimal hardware/software necessary Ease of authentication with a small population Similar problems to Arizona Election
What went wrong here? Believed in community of “Trust” Servers crashed within minutes of the election Student information was publically available Making it easy to hijack someone's vote Votes were not encrypted in transmission Students restricted from voting Based on department Overseas students could not vote Based on “Class Status” determined by credit hours Alphabetical ordering of candidates Student’s on top appeared to be favored Fundamental tradeoff between security and convenience
Cryptographic Foundations Online voting depends upon Public Key Cryptography Diffe-Hellman public key exchange 1976 Changed cryptography forever Allows for two people to generate a secret key RSA allowed for use of two keys (Public & Private) RSA also allows for digital signature of messages PKC used for Authentication and Confidentiality Makes (theoretical) online voting possible Can be used to generate “Blind Ballots” Blind Ballots – Voters right to keep vote private
Blind Ballot using PKC Divide by Blinding Factor (r) Blinding Factor (r) Notary’s Signature (KR) M * r EKR (M*r) EKR (M*r) Message (M) Signed Blinded Doc EKR (M*r) Blinded Doc (M * r) Signed Message EKR (M) Is something wrong with this method
Is message/vote truly blinded? Registration Server PIN Database PIN Voter removes blinding And passes signed ballot To tallier anonymously* EKV(M) Validates Voters Pin Signs Ballot & Sends back to Voter Voter received a PIN During Registration Blinded Ballot And PIN Sent to Validator Blinded Ballot Signed by Validator Validated Vote tallied EKR (M*r) + PIN EKV(EKR (M*r))
Modified Blind Ballot using PKI Voters PIN From Registration Process Election Public Key (EPK) Validators Public Key (VPK) EEPK(M) EPK (M) + PIN (EVPK ((EEPK (M) + PIN)) Encrypted Vote EPK(M) (Blinded) Message (M) Vote blinded from Validator Confidentiality and Integrity Provided between voter and Validator
Modified Voting Protocol PIN Database Voting Database Signed Blinded Ballot Entered Into Database Is PIN Valid (EVPRK (EEPK (M))) Vote Database Decrypts & Validates Vote, Removes PIN Signs Ballot with Private Key Sends to Voter Database Encrypted Blinded Ballot With PIN Blinded Ballot Signed by Validator Validated Votes tallied (Must have Election Private Key) (EVPK ((EEPK (M) + PIN)) (EVPRK (EEPK (M)))
Comparison of elections University of Virginia Small scale election Traditional methods to costly Not legally binding Everyone had internet access No legal requirements Voters unable to vote Small targeted group (Campus) Authorization via Registration Small target for hackers (No gain) Managed in house by IT Dep. Trade security for convenience Trust within community!! Considered a success Arizona Election • Large scale election • Traditional methods-Status Quo • Legally binding • Internet not available to everyone • Lawsuits filled • Some voters could not vote • Large target audience (State) • Authorization req. Registration • Large political target for hackers • Undisclosed funds spent • Security a major concern • Trust a major issue!! • Considered a failure
Technology Risks for Online Voting Security Risks associated with Online Voting Internet is still a very insecure medium Spyware, Malicious Code, Botnets, Hackers, Oh My!!! Spam – Bogus e-mails or links to Bogus Voter Websites Poorly developed applications Distribute / Denial of Service Attacks (DOS / DDOS) Physical attacks possible Insider threat, intentional or unintentional Rarely a brute force attack against crypto algorithms
Election Risk & Security $$$$ CIA Triad Low Moderate High Off The Hook Presidential Election State/Federal Official State/National Committee Security Measures City Public Official University Official Student Council Election $ 3 4 1 2 Election Risk / Criticality of Outcome
Trust in technology/internet Technology & Internet is part of our culture Ease of Internet Access Online Banking Online Sales – Amazon etc. Use of ATMs 290,000 ATMs in US – 1999 14.9 Billion Transactions - 1998 Debit/Credit Cards Airline Tickets on you Cell phone – Approved by the TSA! http://www.google.com/publicdata?ds=wb-wdi&met_y=it_net_user_p2&idim=country:USA&dl=en&hl=en&q=internet+usage+statistics
Zone 1 - Security Things to consider Keep it simple! Utilize SSL Establish Secure Web Site/Server Enforce strong username & passwords Keep systems patched and anti virus/spyware current Apply applicable STIGs from DISA or NSA Eliminate unnecessary applications/software (harden system) Use available tools to scan for vulnerabilities before election Backup your website and your data (daily) keep data secure Limit your exposure - open website during voting hours only Possible use of a firewall or host system at a secure site if $$ allow $ - Low CIA - Low Legal - None
Zone 2 - Security Things to consider Zone 1 security requirements Firewall / DMZ Host base Intrusion Detection System Public Key Cryptography Authentication, Authorization, Accountability (AAA) Redundant systems Alternate / Backup site Internal review/certification (NIST 800-53 / Low-Moderate) Consider Web Site Security (OWASP Top 10) Requires individual registration issuing of PIN #s $$ - Moderate CIA - Moderate Legal - Possible
Web App Security Risks The OWASP Top 10 Web Application Security Risks for 2010: A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards
Zone 3 - Security Things to consider Zone 2 security requirements Independent registration system Enhanced firewalls Deep Packet Inspection Intrusion Detection / Prevention Systems VPNs End-to-End Encryption (PKC/PKI) Cryptographic Authentication for Officials Penetration testing Independent certification/Review (NIST 800-53 / Moderate-High) Functional and Compatibility Testing Legal review – Ensure compliance with applicable laws DMZ $$$ - High CIA - High Legal – State/Federal
Zone 4 - Security Things to consider Zone 3 security requirements Multiple Independent Operating Locations High Availability & Redundancy Distributed across the Enterprise DOS/DDOS Detection/Reaction, and Redirection of Authorized Traffic Multiple Linked Online Intrusion Detection / Prevention Systems Enterprise monitoring /Management (networks/servers/databases...) Private/Dedicated encrypted networks compliant with FIPS 140-2 Heavy use of PKI & End-to-End Encryption Multiple Independent certifications/Reviews (NIST 800-53 / High) Federal/States Legal review – Ensure compliance with applicable laws $$$$ - Very High CIA – High + AAA Legal – Federal/State
Conclusion Issues facing Online Voting are enormous Internet continues to be insecure medium Insecurity is across the board-clients, applications, networks… Insecurity seems to be increasing Trust across the community is lacking Issues range from Technical to Administrative through Legal Problems persist, new ones arise, old ones are not fixed Small scale voting seems to be far more successful Cryptographic techniques exist to support Online Voting Further research into multiple online voting areas still needed
Sources [1] The Security of Remote Online Voting - Thesis • Daniel Rubin, School of Engineering and Applied Science University of Virginia