Nathanael Paul

1
Nathanael Paul
CRyptography Applications Bistro February 3, 2004
2
Electronic Voting

• Convenient
• Supposed to increase voter turnout
• Quicker counts
• Handicapped/disabled
• I wonder where the votes go once you touch the
  screen and if it's possible to mess with the
  vote.
• Carol Jacobson, Berkeley, CA

3
Threats

• Vote Coercion
• Vote Selling
• Vote Solicitation
• Online Registration
• Voter Privacy
• Could have a scrawny teenage script kiddy but now
  a foreign government

4
Rubins Security Considerations for Remote
Electronic Voting over the Internet

• Hosts are assumed to be Windows using IE/Netscape
• Internet connection using TCP/IP
• Attack the endpoints (user, servers) or
  communications

5
Attacking the host

• Malicious payloads
• Proxy settings
• Javascript or Java applets
• http//www.securityfocus.com/bid/4228/discussion/
• BackOrifice
• PCAnywhere, open source
• Chernobyl virus
• Activate on certain day
• Modified bios

6
Get the code on their machine

• MyDoom
• instant messenger, file sharing
• Windows Media Player (Java vulnerability)
• AOL
• Microsoft Office code

7
DoS/DDoS attacks

• Attack servers
• Public key encryption
• Regular expression attacks
• Ping of death
• DoS attacks on individual applications
• Java (exploit system code)

8
Social Engineering

• SSL
• Average user checking a certificate
• Even if its bad, will some just proceed anyways?
• Spoofing
• Web site
• Poisoning DNS cache

9
What is needed?

• Trusted path between user and election server
• Malicious code should not have a way to interfere
  with normal operation.

10

• Allow citizens outside of the country to vote in
  an easy manner
• Should be at least as secure as current absentee
  voting ballot designs
• SSL connection to a central server
• Local Election Official (LEO) precinct computer
  downloads registration/ballots from central server

11
SERVE design
Ballots
ltname, Ekv(ballot)gt
Server
ltGET BALLOTSgt
ltEkLEO(BALLOTS)gt
Voter
LEO precinct computer
12
Some Security Considerations

• Attack central server, LEO server, host machine,
  communications (DNS)
• Privacy
• LEOs can view entire precincts votes
• Central server could view everyones votes
• Windows only
• ActiveX and Java used for central server and user
• 75 flaws in Java from 1999-2003 according to CVE
  (not all are actual entries)

13
DoS/DDoS in SERVE

• Central server provides a single point of attack
• LEO
• Election spans longer period of time (month)
• DDoS excess of 150 Gbps
• E-commerce sites with 10 Gbps link

14
Measuring it all up

• Vote Coercion
• Impossible to detect
• Vote Selling
• Buyers outside of US?
• Vote Solicitation
• AOL and Pop-ups will go crazy
• Online Registration
• Man-in-the-middle
• Voter Privacy
• Not possible with this scheme

15
Proposed Alternatives

• Remote ballot printer recommended with the voter
  mailing in the printed ballot
• Chaums SureVote scheme with voter-verifiable
  receipts using Visual Cryptography
• VoteHere (covered by Richard) with a threshold
  cryptography scheme

16
Additional Reading

• IEEE Security Privacy, Jan/Feb 2004 special
  issue on E-voting
• SureVote, VoteHere DRE schemes
• David Dills http//www.verifiedvoting.org

The fact that 50 votes were cast in Florida
using VOI, and that a change of 269 votes in the
official tally of that state would have resulted
in Al Gore becoming President. SERVE report,
Jan. 21, 2004