160 likes | 251 Views
Nathanael Paul. CRyptography Applications Bistro February 3, 2004. Electronic Voting. Convenient Supposed to increase voter turnout Quicker counts Handicapped/disabled “I wonder where the votes go once you touch the screen and if it's possible to mess with the vote.”
E N D
Nathanael Paul CRyptography Applications Bistro February 3, 2004
Electronic Voting • Convenient • Supposed to increase voter turnout • Quicker counts • Handicapped/disabled • “I wonder where the votes go once you touch the screen and if it's possible to mess with the vote.” Carol Jacobson, Berkeley, CA
Threats • Vote Coercion • Vote Selling • Vote Solicitation • Online Registration • Voter Privacy • Could have a scrawny teenage script kiddy but now a foreign government
Rubin’s “Security Considerations for Remote Electronic Voting over the Internet” • Hosts are assumed to be Windows using IE/Netscape • Internet connection using TCP/IP • Attack the endpoints (user, servers) or communications
Attacking the host • Malicious payloads • Proxy settings • Javascript or Java applets • http://www.securityfocus.com/bid/4228/discussion/ • BackOrifice • PCAnywhere, open source • Chernobyl virus • Activate on certain day • Modified bios
Get the code on their machine • MyDoom • instant messenger, file sharing • Windows Media Player (Java vulnerability) • AOL • Microsoft Office code
DoS/DDoS attacks • Attack servers • Public key encryption • Regular expression attacks • Ping of death • DoS attacks on individual applications • Java (exploit system code)
Social Engineering • SSL • Average user checking a certificate • Even if it’s bad, will some just proceed anyways? • Spoofing • Web site • Poisoning DNS cache
What is needed? • Trusted path between user and election server • Malicious code should not have a way to interfere with normal operation.
Allow citizens outside of the country to vote in an easy manner • Should be at least as secure as current absentee voting ballot designs • SSL connection to a central server • Local Election Official (LEO) precinct computer downloads registration/ballots from central server
SERVE design Ballots <name, Ekv(ballot)> Server <GET BALLOTS> <EkLEO(BALLOTS)> Voter LEO precinct computer
Some Security Considerations • Attack central server, LEO server, host machine, communications (DNS) • Privacy • LEO’s can view entire precinct’s votes • Central server could view everyone’s votes • Windows only • ActiveX and Java used for central server and user • 75 flaws in Java from 1999-2003 according to CVE (not all are actual entries)
DoS/DDoS in SERVE • Central server provides a single point of attack • LEO • Election spans longer period of time (month) • DDoS excess of 150 Gbps • E-commerce sites with 10 Gbps link
Measuring it all up • Vote Coercion • Impossible to detect • Vote Selling • Buyers outside of US? • Vote Solicitation • AOL and Pop-ups will go crazy • Online Registration • Man-in-the-middle • Voter Privacy • Not possible with this scheme
Proposed Alternatives • Remote ballot printer recommended with the voter mailing in the printed ballot • Chaum’s SureVote scheme with voter-verifiable receipts using Visual Cryptography • VoteHere (covered by Richard) with a threshold cryptography scheme
Additional Reading • IEEE Security & Privacy, Jan/Feb 2004 special issue on E-voting • SureVote, VoteHere DRE schemes • David Dill’s http://www.verifiedvoting.org “The fact that 50 votes were cast in Florida using VOI, and that a change of 269 votes in the official tally of that state would have resulted in Al Gore becoming President.” SERVE report, Jan. 21, 2004