210 likes | 229 Views
MIT/Caltech Voting Technology Project. Jonathan Goler (jagoler@mit.edu) Ted Selker (selker@media.mit.edu). Roadmap. Motivation Architecture Implications. Design Principles. Trust No-One! Ensure upgradeability Simple, intuitive interface Ensure Privacy and security integrity.
E N D
MIT/Caltech Voting Technology Project Jonathan Goler (jagoler@mit.edu) Ted Selker (selker@media.mit.edu) (c) 2001 MIT Media Lab
Roadmap • Motivation • Architecture • Implications (c) 2001 MIT Media Lab
Design Principles • Trust No-One! • Ensure upgradeability • Simple, intuitive interface • Ensure Privacy and security integrity (c) 2001 MIT Media Lab
Who do we trust? • We have to trust the aggregation of many not-necessarily-trustworthy programs. • Open Source is a vital requirement • Many systems at each stage provide greater confidence in a correct answer (c) 2001 MIT Media Lab
Ensuring Interoperability • Define a specification for interaction between the components • XML for data transfer (electronic and optically scanned FROGs) • Open specifications and open source (c) 2001 MIT Media Lab
No single anything voting VOTER n Voter and voter system See the same bitmap VOTERn+1 VOTER n+2 Voter can authenticate datum while voting. K E Y S N A M E S Authentication Site No. 1 Authentication Site No. 2 Authentication Site No. 3 te Vote Votes live on a viewable database Vote Vote Votes live on a viewable database (c) 2001 MIT Media Lab
No single anything voting • Voter Client Software • Human-readable output is the only thing shared • Voter Authentication Software • Multiple competing authentication systems must agree • Voter Aggregating Software • Multiple competing aggregating systems must agree • Vote verification Software - FROG as Transport Medium? (c) 2001 MIT Media Lab
1.Images are read by multiple voting systems 2.Voting systems have Key valuators to evaluate the validity of voters 3 Multiple authenticators check the votes 4.Multiple aggregators record the votes (c) 2001 MIT Media Lab
Reference Implementation • Java for all the parts • XML data transfer • Oracle database back end (c) 2001 MIT Media Lab
Processing a Vote • Transmit data to several “Authentication Servers” • Each authentication server checks the validity of the Voter • Each authentication server signs the vote and passes just the vote itself on to the next set of servers, the aggregators. (c) 2001 MIT Media Lab
Blind Signatures • Each Vote is encrypted at the voting terminal • Registration data and encrypted vote are sent to authentication servers • Authentication servers ask the registration server to sign the vote • Signed, encrypted vote is passed to the aggregation servers, which can verify the signature and decrypt the vote contents. (c) 2001 MIT Media Lab
Security Assurances • Multiple open source systems will have checks and balances over each other. • All votes can be recorded in multiple locations, and compared later (c) 2001 MIT Media Lab
Our Implementation • Back-End Pre-Voting System (Ballot Generation /Registration) • Front-End System (Voting) • Back-End Vote Processing (Ballot Analysis) (c) 2001 MIT Media Lab
Back-End Pre-Vote • Ballots are generated in Standard XML Format at a central election office, the ballot itself will contain its own meta-data. • Ballots are distributed( electronically or physically) to the voting machines (c) 2001 MIT Media Lab
Voting Machine • The voting machine will render the XML Ballot • The Voter will fill out the ballot • The machine will review the selections for the voter. • The voter will confirm the selections (c) 2001 MIT Media Lab
Voting Machine • Ballot will be recorded on a FROG • The ballot is signed by the registration computer and submitted. (c) 2001 MIT Media Lab
Vote Processing • The signed ballot is validated by several independent systems which each submit them to the final collection servers. • The servers then decrypt the contents of the votes and report the results. (c) 2001 MIT Media Lab
What’s so good? • Vote is detached from identity • Registration officials do not know how you voted • The multiple aggregation systems increase reliability and resistance to attacks. (c) 2001 MIT Media Lab
What about DDoS? • The simplest solution is to have a set of aggregation servers at the precincts, and allow them to either transmit the votes at once or create encrypted records to send to the central tabulation location. Without exposure to the public internet, DDoS is irrelevant. (c) 2001 MIT Media Lab
Cost • We can utilize computers in schools to run the balloting software, which does not require extensive security certification • Aggregation and Authentication servers would be highly scrutinized, thus more expensive, but far fewer are needed. (c) 2001 MIT Media Lab
Q&A Jonathan Goler (jagoler@mit.edu) (c) 2001 MIT Media Lab