Providing Trusted Paths Using Untrusted Components Andre L. M. dos Santos Georgia Institute of Technology

Electronic Voting Assumptions: –There is a framework for electronic voting All the crypto is embedded in the framework. –Smart cards, USB tokens, or any other portable tamper resistant device adds security to electronic voting. Problem: –Would a tamper proof smart card solve all problems of electronic voting?

Do You Know to Whom are you Voting ?

What is the problem? The devices that are used for direct I/O with a human needs to be tamper proof. –So, not only the card needs to be tamper proof …. I vote for John Hommer’s Vote is for Bob Or NOT ????

Hard AI Problems Informally, something that humans can do easily but computers can't. CAPTCHA -- Completely Automated Turing Test to Tell Computers and Humans Apart Generate random message, transform it, ask human to repeat it Transformation problem: –Subset of hard AI problems that transform a message –Example: distort text of message so that only humans can read it

KHAP: Keyed Hard AI Problems A transformation problem that includes a shared secret key Instances generated with different keys are distinguishable Computers can't steal keys from messages Formalisms ( t=T(m,k) is (α, β, γ, δ, ε, ζ)-keyed transformation) –the probability that a human can extract m from t is at least α –the probability that a human with knowledge of k can correctly verify whether k was used to create t is at least β –there does not exist a computer program that runs in time ζ such that the probability of the program extracting m from t is greater than γ –there does not exist a computer program that runs in time ζ such that the probability of the program extracting k from t is greater than δ –let A be a computer program that modifies t to include m’ ≠ m; there does not exist an A that runs in time ζ such that the probability of a human failing to detect the modification is greater than ε

Protocol

3-D Keyed Transformation Render text and objects in a 3-D scene to 2-D image (raytrace) Randomize parameters (lighting, position, rotation, size, colors) Human can read text from 2-D image Key is appearance of objects Human looks for particular objects in scene Scene is hard to modify in a meaningful way (shadows, reflections, finding objects) Provide authenticity (presence of keys) and integrity (modifications can be detected by human)

E-Voting using 3-D Images

Considerations How does a human confirm a message? –Disconnect, or not, trusted platform When should you connect your platform? –Confirmation word How does a low computing power device performs the transformation? –Can use (semi) trusted servers connected using an anonymizing network –Needs to worry about covert channels What is the best transformation? –Others examples are speech and text.

Considerations Replays and Human Professors –Time stamps –Aging –Spatial relationships Easy to guess keys –Cute puppy dog! –May be easier to avoid

Conclusions This is a general approach for interacting with trusted computers Many features of electronic voting systems help the use of this approach Easy to use –Avoid computation, memory aids: ask humans to do what they do best –Some problems are intuitive (e.g., recognizing voice)