Presentation is loading. Please wait.

Presentation is loading. Please wait.

17-803/ Electronic Voting Session 10: Internet Voting

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "17-803/ Electronic Voting Session 10: Internet Voting"— Presentation transcript:

1 17-803/17-400 Electronic Voting Session 10: Internet Voting
Michael I. Shamos, Ph.D., J.D. Institute for Software Research International Carnegie Mellon University 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

2 Outline Internet voting issues SENSUS (Lorrie Cranor) Project SERVE
Canton of Geneva, Switzerland 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

3 Internet Voting Where? Polling place Kiosks Home Anywhere
17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

4 Internet Voting Benefits
Convenience Accessibility in all weather, all ages Vote anywhere, maybe even from cellphone Availability of candidate information Maybe lower operating cost (maybe not) if regular polling places are eliminated 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

5 Internet Voting Risks Digital divide People without Internet access
People without computer skills Security, trust Casual environment Open to the world 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

6 Internet Voting Security Risks
Bugs Backdoors to manipulation Malicious code COTS (Commercial Off-the-Shelf Software), e.g. Windows, may contain exploits Insider attacks Compromising results Compromising privacy Client attacks Operator (for Internet cafes) Worms, viruses, ActiveX, spyware 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

7 Internet Voting Security Risks
Denial of Service DDOS attacks on server Selective disenfranchisement Spoof websites Fake “official” site – captures voting credentials, issues fake acknowledgement, then casts real vote differently Promotion of coercion Automated credential-selling Installation of watcher software 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

8 SENSUS Protocol (Lorrie Cranor)
Tallier’s Public Key Voter’s Private Key BALLOT Voter Tallier’s Private Key Voter’s Public Key BALLOT Validator Tallier Tallier and validator can collude to violate privacy SOURCE: LORRIE CRANOR

9 Blind Signatures (Chaum)
Sometimes useful to have people sign things without seeing what they are signing notarizing confidential documents preserving anonymity Alice wants to have Bob sign message M. (In cryptography, a message is just a number.) Alice multiplies M by a number -- the blinding factor Alice sends the blinded message to Bob. He can’t read it -- it’s blinded. Bob signs with his private key, sends it back to Alice. Alice divides out the blinding factor. She now has M signed by Bob. 52

10 Blind Signatures Alice wants to have Bob sign message M.
Bob’s public key is (e, n). Bob’s private key is d. Alice picks a blinding factor k between 1 and n. Alice blinds the message M by computing T = M ke (mod n) She sends T to Bob. Bob signs T by computing Td = (M ke)d (mod n) = Md k (mod n) Alice unblinds this by dividing out the blinding factor: S = Td/k = Md k (mod n)/k = Md (mod n) But this is the same as if Bob had just signed M, except Bob was unable to read T e • d = 1 (mod n) 52

11 The Sensus Polling Protocol
Pollster - the user’s agent - trusted by user Validator - validates ballots (without seeing content of ballots) Tallier - counts validated ballots and reports results (without knowing which voter voted which ballot) Registrar - registers voters SOURCE: LORRIE CRANOR

12 The Pollster prepares the ballot
Presents ballot questions to user and records answers Generates key pair and seals ballot Blinds sealed ballot Signs blinded, sealed ballot SOURCE: LORRIE CRANOR

13 The Sensus Polling Protocol
Validator Pollster Tallier blinded, sealed ballot ID number signature 1 SOURCE: LORRIE CRANOR

14 The Sensus Polling Protocol
Validator Pollster Tallier 1 2 signed, blinded, sealed ballot SOURCE: LORRIE CRANOR

15 The Sensus Polling Protocol
Validator Pollster Tallier 1 2 3 sealed ballot, signed by validator SOURCE: LORRIE CRANOR

16 The Sensus Polling Protocol
Validator Pollster Tallier 1 sealed ballot, signed by tallier receipt # 2 3 4 SOURCE: LORRIE CRANOR

17 The Sensus Polling Protocol
Validator Pollster Tallier 1 2 3 receipt # key to unseal ballot 4 5 SOURCE: LORRIE CRANOR

18 The Sensus Polling Protocol
Validator Pollster Tallier 1 2 3 4 5 SOURCE: LORRIE CRANOR

19 Sensus assumptions Communication occurs over an anonymous channel
Machines (along with secrets on them) are secure (including users’ machines!) Messages are not likely to arrive at validator and tallier in the same order Strong encryption Election is not disrupted due to denial of service attacks, power outages, etc. Can we count on these assumptions to be true? SOURCE: LORRIE CRANOR

20 Even if these assumptions hold
If voters abstain, validator may submit ballots for them These invalid ballots may be detected, but not corrected Voters can prove how they voted (and sell their votes) Only weak verifiability (voters can verify their votes but not third-party) SOURCE: LORRIE CRANOR

21 Project SERVE About 5,000,000 citizens are eligible to vote but cannot because they are unable to comply with absentee voting requirements they are physically unable to cast votes because of circumstances (military service) This is almost 5% of voters To address this, Congress passed UOCAVA, the Uniformed and Overseas Citizens Absentee Voting Act 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

22 UOCAVA 42 U.S.C. 1973ff Each State shall—
(1) permit absent uniformed services voters and overseas voters to use absentee registration procedures and to vote by absentee ballot in general, special, primary, and runoff elections for Federal office; (2) accept and process … any otherwise valid voter registration application and absentee ballot application from an absent uniformed services voter or overseas voter, if … received … not less than 30 days before the election; (3) permit overseas voters to use Federal write-in absentee ballots … in general elections for Federal office; and (4) use the official post card form (prescribed under … this title) for simultaneous voter registration application and absentee ballot application. 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

23 Congressional Mandate
§1604 FY02 National Defense Authorization Act DoD to carry out an electronic voting demonstration project through Federal Voting Assistance Program (FVAP) Absentee Uniformed Services voters November 2002 or 2004 general election Participation of sufficient numbers so results are statistically relevant Coordinate with state election officials Report to Congress (June 2005)

24 DoD Response Include all absentee Uniformed Services and overseas citizens Target of 100,000 voters, cross-section of election jurisdictions 7 states (out of 50), 51 counties (out of 3140) Use electronic system beginning January 2004 for voter registration, voting in primaries and general election Killed in February 2004 by Deputy Defense Secretary Wolfowitz after an essay by four computer scientists

25 Evaluation Questions Is remote Internet registration and voting an effective, affordable and secure method to improve absentee uniformed services and overseas citizens’ access to the polls? What do we need to know to implement this type of system as an alternative to by-mail?

26 SERVE Election Life Cycle
Pre-Election Activities Citizen Votes Post-Election Activities LEO Ballot Definition Election Admin Voting Tabulation LEO Define, Proof & Finalize Ballots Decrypt & Tabulate Preview Ballots SERVE Results Ballot Data Vote Election Transfer Approve Election Download Ballots LEO Systems UVS Central UVS Laptop LEO Systems

27 UOCAVA Voting System Architecture
UVS Administration LEO 1 Citizen * HTTPS * Ballot Definition Voting Engine Ballot Reconciliation Voter Registration I & A Process ** Voter Status Check LEO 2 HTTPS UVS Laptop Web Server HTTPS SERVEUSA.gov LEO 3 HTTPS Internet SFTP LEO Workstation LEO n LEO Processes Voter Registration Ballot Definition Ballot Decryption Ballot Tabulation Voter History UVS Control Data Ballot Definitions Voted Ballots (Encrypted) * Firewall ** Identification & Authentication Process Local Server LEO Site UVS Central Hosting Environment

28 Voter Registration Process
Citizen HTTPS UVS Control Data UOCAVA Voting System (UVS) Applications Database LEO UOCAVA Server VR Tool SFTP HTTPS LEO Infrastructure Election Administration System LEO Local Workstations LEO Local Server LEO Local Workstations Manual VR Data & UVS Control Data (1) (2) 18

29 Ballot Definition and Proofing Process
UOCAVA Voting System (UVS) Ballot Definitions & Rules UVS Control Data LEO UOCAVA Server Ballot Preview Ballot Definition HTTPS HTTPS HTTPS HTTPS LEO Infrastructure Common format file LEO Local Server LEO Local Workstations Ballot Definition Service Bureau (3) (2) LEO Local Workstations (1) 19

30 Citizen Voting Process
Confirm Ballot Choices Request Ballot Vote Ballot Vote Received 1 Citizen Login 2 3 4 5 Language Party LEO URL Races _______ President: ___ Governor: ___ Mayor: ___ Congratulations Your vote has been received. Citizen Actions The term ‘application’ refers to the voter application to register to vote and/or request an absentee ballot ‘Control Data’ refers to a list of defined fields sent in a file from a Local Election Office to the UOCAVA Voting System. This provides a response to the application form file. The fields include: SERVE ID Precinct Precinct Split Voter Status Voter Registration ID Voter Address Voter Status Reason Party Affiliation Voter Last Name Voter Visually Impaired UVS selects ballot for voter UVS stores and encrypts voter’s choices UVS retrieves choices and builds confirmation page UVS marks stored choices as confirmed; Encrypts with LEO public key UVS Central Encrypted Voted Ballots Blank Ballots Control Data © 2004 Accenture. All rights reserved.

31 Voting and Voter History
Citizen HTTPS UOCAVA Voting System (UVS) Ballot Def. Data Encrypted Voted Ballots LEO UOCAVA Server UVS Control Data Voter History SFTP HTTPS LEO Infrastructure LEO Local Server VR Data & UVS Control Data Manual (1) (2) 20

32 Reconciliation & Tabulation Processes
UOCAVA Voting System (UVS) Ballot Def. Data Encrypted Voted Ballots LEO UOCAVA Server UVS Control Data Ballot Reconciliation HTTPS HTTPS LEO Infrastructure Download LEO Local Workstations UVS Laptop Decrypt Tabulate File (1) Local Tabulation System Manual Reports (2) Ballot Reconciliation Tabulation 21

33 System Threats and Mitigation Measures
Network Security Encryption Intrusion Detection Systems Redundant Firewalls Penetration Tests Privacy Digital Signatures Secure Socket Layers Voter Identity – Ballot Data Separation Voted Ballot Data Verification Virus, Worm, Trojan Horse Anti Virus Scanning Spoofing Secure Sockets Layer (SSL) Denial of Service Large Quantity of Bandwidth, Multiple Carriers Multiple Internet Service Provider Entry Points Utilization Monitoring Voter Fraud

34 UVS Security Features Digital signatures for authentication of all users Centralized servers host all processes except ballot decryption and tabulation All voted ballot data encrypted Applications and data completely enveloped by layers of physical security, disaster recovery, network and denial of service mitigations External peer review and critique of security architecture

35 Personal Digital Signatures
Issued to all SERVE participants (citizens, LEOs, system administrators) Medium assurance (X.509 compliant) Stored on server for portability Citizen must remember password and challenge question Provides audit trail of all participant transactions

36 Critique of SERVE Jefferson, Rubin, Simons, Wagner were four of nine members of the SERVE Project Review Group. Their points: DRE systems have been criticized SERVE is Internet- and PC-based Vulnerable to large-scale attacks by parties outside the reach of U.S. law Impossible to estimate the probability of a successful attack Vulnerabilities cannot be fixed by redesign of SERVE, but are fundamental to the Internet architecture Even if SERVE worked flawlessly in a 2004 experiment would not mean it was safe We recommend shutting down SERVE development immediately 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

37 Internet voting : Status, Perspectives and Issues
Michel Chevallier Head of communication Geneva State Internet voting project Internet voting : Status, Perspectives and Issues 1) Pas d’effet ITU E-Government workshop Geneva 6 June 2003

38 Geneva developed one of the first public Internet voting applications in the world.
Held first ballot using the Internet in January 2003, in a suburban municipality nearby Geneva. Voters had three ways to casting ballot: postal voting, polling stations and the Internet. ~200,000 registered voters in Geneva

39 Transition Stages in Internet Voting
EVE («Evaluating Practices & Validating technologies in E-democracy», showed Internet voting is mostly considered by countries that have already implemented changes in polling methods: placing electronic ballot boxes in polling stations, introducing postal voting, using the Internet as political campaign tool.

40 Role of Political System
Political system plays a role in the decision to develop an Internet voting application. Not a coincidence that the two leading countries in Internet voting, UK and Switzerland, are decentralized States. Secrecy is not equally important everywhere. The more stringent the law on secrecy, the more difficult the implementation of Internet voting. UK and Switzerland have «soft» regulations.

41 Swiss Voters Want Versatility
Swiss citizens are vote 4 to 6 times a year Postal voting in 22 of 26 Swiss cantons In Geneva last year, 95% of the voters cast their vote by post. Nationwide, the percentage exceeds 50%. In Geneva, postal voting has increased the turnout by 20 percentage points over the last 8 years (from an average of 30%-35% to an average of 50%-55%).

42 Consolidating a positive trend
In a everchanging world, you must innovate to maintain your position. This is also true of public services. We were looking for a way of consolidating the success of postal voting and increasing ballot flexibility. We wanted to improve ballot access for citizens living abroad and disabled voters. We wanted to take better into account the habits of many citzens, who travel on week-ends and school holidays.

43 Cost Is Internet voting cheaper? Ballot reading is automatic, no recounts are needed. Not necessarily ! Parameters influencing cost Will polling stations be eliminated ? Will smartcards be issued ? Should voters buy plug-in devices ? What is the cost of system maintenance ? How often will upgrades occur?

44 Conditions for a Democratic Ballot
«Contracting parties undertake to hold free elections at reasonable intervals by secret ballot, under conditions which will ensure the free expression of the opinion of the people (…)» (Art. 3 of Protocol 1 to the European Convention on Human Rights)

45 11 Commandments of Internet Voting (1)
The provisions of the European Convention on Human Rights and our own legal rules define a 11 points terms of reference for Internet voting : 1) Votes cannot be intercepted nor modified, 2) Votes cannot be known before the official ballot reading, 3) Only registered voters will be able to vote, 4) Each voter will have one and only one vote, 5) Vote secrecy is guaranteed. It NEVER will be possible to link a voter and his/her vote,

46 11 Commandments of Internet Voting (2)
6) The voting web site will resist any denial of service attack, 7) Voters will be protected against identity theft, 8) The number of cast votes will be equal to the number of received ballots, 9) It will be possible to prove that a given citizen has voted, 10) The system will not accept votes outside the ballot opening period, 11) The system will be auditable.

47 An illustration User friendliness Safety
Here’s the example of a simple issue : safety vs user friendliness. IT experts told us to write a new OS and distribute it on CD-Roms to the population. For them, any other choice would have been unsafe. Of course we didn’t, because nobody would have used it. User friendliness Safety

48 An idea whose time has come
In 2000, we felt that the public was receptive to Internet voting : Internet connectivity had been growing steadily for a few years, eCommerce turnover grew significantly, Poll conducted in the whole country showed 66% of Internet users would like to be able to vote online, Parliament reversed a previous negative vote and asked for Internet voting to be studied, The Geneva electoral law allows eVoting testing without prior local Parliament approval, Geneva’s voters register was the only one in Switzerland already digitized.

49 A proprietary solution
In 2000, the State issued a tender to seek private partners to realize the eVoting application. Hewlett-Packard and Wisekey (digital certificate) were choosen as partners. The tender underlined the legal requirements for ballots, proposed a structure for the system, imposed that the servers should be located in a secured environment, within the State premises, Imposed that the application’s code should be available for independent experts to check (proprietary solution owned by the State). (

50 Identification Web server Vote server (Virtualvault HP)
System Structure Identification Web server (Linux) Vote server (Virtualvault HP) Firewall eBallot box Voters register Voter’s PC Internet Secure transaction Entrance web server (Microsoft) Multiple accesses Firewall SSL 128 Voter’s PC Regular DNS refreshing

51 No Man-in-the-Middle Attack
Each voting card carries a personal code (besides the hidden identification one): 7425 in this example When the system confirms your vote, it displays the code underneath the vote Besides giving the voters the possibility to check the sites’ certificate fingerprint, we introduced a personal code on the eBallot. If you don’t see this code, you must stop the connection and call our helpdesk

52 Yes-abcdefg-xyz Xcfg-zYax-e-sbe Encrypted Ballot
Political parties representatives hold the keys to decryption. All keys (all parties) are needed to decrypt the eBallot box Yes-abcdefg-xyz Xcfg-zYax-e-sbe

53 Ballot Secrecy Voters register eBallot box + Before opening the eBallot box, we mix its content to make it impossible to match the recording time and date of a vote to the scoring out time and date of a name in the voters register

54 Postal and Internet Ballots Managed by Same DB
eBallot box Internet voting Postal voting Vote date Vote time Voters register Whether you vote by internet or by post, your voting date and time are recorded in the same voters register. This ensures that nobody votes twice.

55 eVoting Site Open for Three Weeks
Time Off limits Legal voting period Off limits Voting period same for Internet and postal voting. Both end on a Saturday. On Sunday, polling stations are open

56 Control Ballot (Parallel Testing)
Electronic couting Manual counting Parties’ representatives cast two ballots: paper and elecronic. The tally from both boxes must give the same result

57 The secret code is unveiled by scratching
Voting Card Birthdate The secret code is unveiled by scratching All necessary safety elements, whether for polling station voting, postal voting or internet voting, appear on the voting card

58 Voting Dialog Identification e-ballot is sent to the voter eBallot box
SSL Identification e-ballot is sent to the voter eBallot box Voter fills the e-ballot online System asks for confirmation of voter’s choice Voter’s PC State’s protected server Voter enters his birth date and place of origin Voters register Confirmation de l’expression d’un vote Voter receives confirmation that he has voted

59 Voting card  This half contains the identification features for Internet voting The other half is needed to vote by post or at the polling station The Internet voting application is essentially a re-engineering of postal voting.

60 Swiss eBallot lessons % of votes cast on the Internet was far greater than expected : 43.6% of the voters used the Internet and 49.9% postal voting. The three ballot system gave the same outcome, but percentages differed.* There were more voters above 60 years old on the Internet (14%) than voters under 24 years (12%). 93% of eVoters trust our system. The more they use Internet, the more they trust it. The younger they are, the less they trust it. * By the way : this is another issue to consider : do you give detailed or consolidated results. We give consolidated ones.

61 Q A & 17-803/ ELECTRONIC VOTING FALL COPYRIGHT © 2004 MICHAEL I. SHAMOS

Download ppt "17-803/ Electronic Voting Session 10: Internet Voting"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Internet Voting in Estonia Tarvi Martens Project Manager National Electoral Committee.

Internet Voting in Estonia Tarvi Martens Project Manager National Electoral Committee.
The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.

The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.
Good or Bad?.  One of the closest contests in US history  Florida was the pivotal state  Neither Democrat Al Gore nor Republican George W. Bush had.

Good or Bad?.  One of the closest contests in US history  Florida was the pivotal state  Neither Democrat Al Gore nor Republican George W. Bush had.
ETen E-Poll ID – Strasbourg COE meeting 23-24 November, 2006 Slide 1 E-TEN 29332 E-POLL Project Electronic Polling System for Remote Operation Strasbourg.

ETen E-Poll ID – Strasbourg COE meeting November, 2006 Slide 1 E-TEN E-POLL Project Electronic Polling System for Remote Operation Strasbourg.
ICT IN THE ELECTORAL PROCESS: LESSONS LEARNED Susanne Caarls International Electoral Affairs Symposium 30-31 May 2012.

ICT IN THE ELECTORAL PROCESS: LESSONS LEARNED Susanne Caarls International Electoral Affairs Symposium May 2012.
Internet Voting Technology and policy issues. Selective History of Voting (US) early 1800’s: public oral voting at County Hall 1800’s: free-form, non-secret.

Internet Voting Technology and policy issues. Selective History of Voting (US) early 1800’s: public oral voting at County Hall 1800’s: free-form, non-secret.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, 18-19 March 2010.

Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, March 2010.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Similar presentations

Ads by Google