skagestein cp hjune2010_static
DESCRIPTION
TRANSCRIPT
trusting e-voting-1University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
Can we trust electronic voting?
Why e-voting can not be compared with Internet banking
Rådet for større IT-sikkerhet: E-valg i Danmark
Copenhagen June 17th 2010
Gerhard Skagestein, University of Oslo
trusting e-voting-2University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
When netbanking – why not e-voting?
$ V S DF K RV SF EL …
The identity of the netbank
customer is no secret
The identity of the voter behind a
ballot should be kept a secret
The netbank customer can verify
the correct behaviour of the
banking system by looking at the
account statement
The correct behaviour of an e-voting
system is difficult to verify (but there
are some solutions)
The netbank customer worries
about his own bank account only
The e-voter worries about his own
ballot, but in addition also all the
other ballots
If something should be incorrect,
the bank can easily fix it
If something should be proven to
be incorrect, the election authorities
can probably not easily fix it
trusting e-voting-3University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
Why do we trust systems?
Either:
We observe that the system
behaves as we expect it to do
(black box view)
input output
Or:
The mechanisms in the system
are so simple that it is obvious
that it will work as we expect it
to do
(white box view)
trusting e-voting-4University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
What’s so special about computerised systems?
Immensely complicated
o handled by “divide and conquer”
Modularisation, layering
Components are used over and over again,
for a lot of different purposes
Easily modifiable
o Good for flexibility, but bad for trust
There is no such thing as a guaranteed safe and correct
computerised system (jf. Bruce Schneier: Secret and Lies)
… (but there is no such thing as a guaranteed safe and correct
non-computerised system, either)
trusting e-voting-5University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
Verifying the e-voting system – Black boxSome proposals
Before the election
o Verify the behaviour of the system by running artificial ballots
through the system
During the election
o Give the voter a confirmation that his ballot has arrived
unchanged in the electronic ballot box
o Introduce ballots from artificial voters and check that they arrive
in the electronic ballot box (those ballots will of course not be
counted)
After the election
o Compare the result of the election with the results of the
“exit poll” (valgdagsmåling)
trusting e-voting-6University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
Verifying the e-voting system – White box
Only black-box verification before the election is not sufficient,
because the system may be programmed to change behaviour later.
Inspecting the critical parts of the internal logic (white-box testing) is
necessary
To make white-box verification possible, the mechanisms of the
system must be accessible
o The programming code of the computerised system
o The operative procedures around the computerised system
Verifying the program code requires programming skills
o From layman to expert control
o Who should be the experts?
The system verified should be the system running
Verifying all modules (including for example the operating system) is
unrealistic. Instead, we must build on standardised modules!
trusting e-voting-7University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
An important regulation
The Legal, Operational and Technical Standards for E-voting
Recommendation Rec(2004)11 adopted by the Committee of
Ministers of the Council of Europe (the “Recommendation”) states:
I. Transparency
20. Member states shall take steps to ensure that voters
understand and have confidence in the e-voting system in use.
This means that the verification must be carried out
so that it can be observed in some way by the public,
or even performed by the public!
trusting e-voting-8University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
E-voting in election offices
– early voting
E-votingat home
– early voting
E-voting in polling stationon Election Day
Vote casting alternatives
E-votingat home
on Election Dayuncontrolledenvironments
controlledenvironments
phase 1(early voting)
phase 2(Election Day)
paperballots
electronicvoting
Conventionalpaper ballot –
early voting
Conventionalpaper ballot on
Election Day
Postalvoting
trusting e-voting-9University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
E-voting in election offices
– early voting
E-votingat home
– early voting
E-voting in polling stationon Election Day
Vote casting alternatives
Which alternatives should be allowed
– and for which group of voters?
E-votingat home
on Election Dayuncontrolledenvironments
controlledenvironments
phase 1(early voting)
phase 2(Election Day)
electronicvoting
trusting e-voting-10University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
Identification and authentication of the voter
In an uncontrolled environment, the voter must identify himself
to the e-voting system
Identification and authentication of the voter may be done by a
generally available PKI-system (citizen identity card)
o cheaper that a special purpose election credential
o the voter will not be tempted to sell it
The e-ballot may be connected to the voters real identity,
or (safer?) to a derived pseudo-identity
But how do we separate the voters identity from his ballot?
trusting e-voting-11University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
Encrypted
anonymous
e-ballots
Encryptedballot
BallotEncrypting with
the public key of
election event
Digital signing
with voter’s
private key
Digitally signed, encrypted ballot
Datanet
Verification of voters digital
signature
List of e-votersto be marked in
the voter register
Decrypting the ballots with the
private key of the election event
e-ballotsto be counted
Received e-ballotswith digital signature
The double envelope principle
trusting e-voting-12University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
The double envelope principle…
…ensures (hopefully)
the secrecy and the authenticity of the vote
that the voters identity and the content of the ballot
can never be connected
trusting e-voting-13University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
The danger of compromisingthe secrecy of the ballot
The double envelope file and the private key of
the election must NEVER meet!
trusting e-voting-14University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
Threats
Technical
o Falsifying votes by bogus software (especially on home computers)
o Compromising voters anonymity and secrecy of vote
o Denial of service attacks
o Technical breakdown
Social/democratic (in uncontrolled environments)
o Questionable anonymity and secrecy
o Bargaining votes
o Voting subject to coercion (“family voting”)
o Voting taken less seriously
trusting e-voting-15University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010
Will I trust electronic voting?
Maybe…