Nathanael Paul

CRyptography Applications BistroFebruary 3, 2004

Electronic Voting

• Convenient

• Supposed to increase voter turnout

• Quicker counts

• Handicapped/disabled

• “I wonder where the votes go once you touch the screen and if it's possible to mess with the vote.”

Carol Jacobson, Berkeley, CA

Threats• Vote Coercion

• Vote Selling

• Vote Solicitation

• Online Registration

• Voter Privacy

• Could have a scrawny teenage script kiddy but now a foreign government

Rubin’s “Security Considerations for Remote Electronic Voting over the

Internet”• Hosts are assumed to be Windows using

IE/Netscape

• Internet connection using TCP/IP

• Attack the endpoints (user, servers) or communications

Attacking the host

• Malicious payloads– Proxy settings

• Javascript or Java applets– http://www.securityfocus.com/bid/4228/discussion/

– BackOrifice• PCAnywhere, open source

– Chernobyl virus• Activate on certain day• Modified bios

Get the code on their machine

• MyDoom

• instant messenger, file sharing– Windows Media Player (Java vulnerability)

• AOL

• Microsoft Office code

DoS/DDoS attacks

• Attack servers– Public key encryption– Regular expression attacks

• Ping of death

• DoS attacks on individual applications– Java (exploit system code)

Social Engineering

• SSL– Average user checking a certificate– Even if it’s bad, will some just proceed

anyways?

• Spoofing– Web site– Poisoning DNS cache

What is needed?

• Trusted path between user and election server– Malicious code should not have a way to

interfere with normal operation.

• Allow citizens outside of the country to vote in an easy manner

• Should be at least as secure as current absentee voting ballot designs

• SSL connection to a central server

• Local Election Official (LEO) precinct computer downloads registration/ballots from central server

SERVE design

Server

Voter

<nam

e, E kv

(bal

lot)>

LEO precinct computer

Ballots

<GET BALLOTS>

<EkLEO (BALLOTS)>

Some Security Considerations

• Attack central server, LEO server, host machine, communications (DNS)

• Privacy– LEO’s can view entire precinct’s votes– Central server could view everyone’s votes

• Windows only• ActiveX and Java used for central server and

user– 75 flaws in Java from 1999-2003 according to CVE

(not all are actual entries)

DoS/DDoS in SERVE

• Central server provides a single point of attack

• LEO

• Election spans longer period of time (month)

• DDoS excess of 150 Gbps– E-commerce sites with 10 Gbps link

Measuring it all up• Vote Coercion

– Impossible to detect

• Vote Selling– Buyers outside of US?

• Vote Solicitation– AOL and Pop-ups will go crazy

• Online Registration– Man-in-the-middle

• Voter Privacy– Not possible with this scheme

Proposed Alternatives

• Remote ballot printer recommended with the voter mailing in the printed ballot

• Chaum’s SureVote scheme with voter-verifiable receipts using Visual Cryptography

• VoteHere (covered by Richard) with a threshold cryptography scheme

Additional Reading

• IEEE Security & Privacy, Jan/Feb 2004 special issue on E-voting

• SureVote, VoteHere DRE schemes

• David Dill’s http://www.verifiedvoting.org

“The fact that 50 votes were cast in Florida using VOI, and that a change of 269 votes in the official tally of that state would have resulted in Al Gore becoming President.”

SERVE report, Jan. 21, 2004