skagestein cp hjune2010_static

trusting e-voting-1University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010

Can we trust electronic voting?

Why e-voting can not be compared with Internet banking

Rådet for større IT-sikkerhet: E-valg i Danmark

Copenhagen June 17th 2010

Gerhard Skagestein, University of Oslo


When netbanking – why not e-voting?

$ V S DF K RV SF EL …

The identity of the netbank

customer is no secret

The identity of the voter behind a

ballot should be kept a secret

The netbank customer can verify

the correct behaviour of the

banking system by looking at the

account statement

The correct behaviour of an e-voting

system is difficult to verify (but there

are some solutions)

The netbank customer worries

about his own bank account only

The e-voter worries about his own

ballot, but in addition also all the

other ballots

If something should be incorrect,

the bank can easily fix it

If something should be proven to

be incorrect, the election authorities

can probably not easily fix it


Why do we trust systems?

Either:

We observe that the system

behaves as we expect it to do

(black box view)

input output

Or:

The mechanisms in the system

are so simple that it is obvious

that it will work as we expect it

to do

(white box view)


What’s so special about computerised systems?

Immensely complicated

o handled by “divide and conquer”

Modularisation, layering

Components are used over and over again,

for a lot of different purposes

Easily modifiable

o Good for flexibility, but bad for trust

There is no such thing as a guaranteed safe and correct

computerised system (jf. Bruce Schneier: Secret and Lies)

… (but there is no such thing as a guaranteed safe and correct

non-computerised system, either)


Verifying the e-voting system – Black boxSome proposals

Before the election

o Verify the behaviour of the system by running artificial ballots

through the system

During the election

o Give the voter a confirmation that his ballot has arrived

unchanged in the electronic ballot box

o Introduce ballots from artificial voters and check that they arrive

in the electronic ballot box (those ballots will of course not be

counted)

After the election

o Compare the result of the election with the results of the

“exit poll” (valgdagsmåling)


Verifying the e-voting system – White box

Only black-box verification before the election is not sufficient,

because the system may be programmed to change behaviour later.

Inspecting the critical parts of the internal logic (white-box testing) is

necessary

To make white-box verification possible, the mechanisms of the

system must be accessible

o The programming code of the computerised system

o The operative procedures around the computerised system

Verifying the program code requires programming skills

o From layman to expert control

o Who should be the experts?

The system verified should be the system running

Verifying all modules (including for example the operating system) is

unrealistic. Instead, we must build on standardised modules!


An important regulation

The Legal, Operational and Technical Standards for E-voting

Recommendation Rec(2004)11 adopted by the Committee of

Ministers of the Council of Europe (the “Recommendation”) states:

I. Transparency

20. Member states shall take steps to ensure that voters

understand and have confidence in the e-voting system in use.

This means that the verification must be carried out

so that it can be observed in some way by the public,

or even performed by the public!


E-voting in election offices

– early voting

E-votingat home

– early voting

E-voting in polling stationon Election Day

Vote casting alternatives

E-votingat home

on Election Dayuncontrolledenvironments

controlledenvironments

phase 1(early voting)

phase 2(Election Day)

paperballots

electronicvoting

Conventionalpaper ballot –

early voting

Conventionalpaper ballot on

Election Day

Postalvoting


E-voting in election offices

– early voting

E-votingat home

– early voting

E-voting in polling stationon Election Day

Vote casting alternatives

Which alternatives should be allowed

– and for which group of voters?

E-votingat home

on Election Dayuncontrolledenvironments

controlledenvironments

phase 1(early voting)

phase 2(Election Day)

electronicvoting


Identification and authentication of the voter

In an uncontrolled environment, the voter must identify himself

to the e-voting system

Identification and authentication of the voter may be done by a

generally available PKI-system (citizen identity card)

o cheaper that a special purpose election credential

o the voter will not be tempted to sell it

The e-ballot may be connected to the voters real identity,

or (safer?) to a derived pseudo-identity

But how do we separate the voters identity from his ballot?


Encrypted

anonymous

e-ballots

Encryptedballot

BallotEncrypting with

the public key of

election event

Digital signing

with voter’s

private key

Digitally signed, encrypted ballot

Datanet

Verification of voters digital

signature

List of e-votersto be marked in

the voter register

Decrypting the ballots with the

private key of the election event

e-ballotsto be counted

Received e-ballotswith digital signature

The double envelope principle


The double envelope principle…

…ensures (hopefully)

the secrecy and the authenticity of the vote

that the voters identity and the content of the ballot

can never be connected


The danger of compromisingthe secrecy of the ballot

The double envelope file and the private key of

the election must NEVER meet!


Threats

Technical

o Falsifying votes by bogus software (especially on home computers)

o Compromising voters anonymity and secrecy of vote

o Denial of service attacks

o Technical breakdown

Social/democratic (in uncontrolled environments)

o Questionable anonymity and secrecy

o Bargaining votes

o Voting subject to coercion (“family voting”)

o Voting taken less seriously


Will I trust electronic voting?

Maybe…

skagestein cp hjune2010_static

Documents