| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9E443268-341A-11D9-BEBE-000D93C20BB0@gotlinux.us> Date: Thu, 11 Nov 2004 14:48:11 -0500 From: Adam Jacob Muller <adam@...linux.us> To: <ghalleen@...co.com> Cc: "'Jei'" <jei@...hut.fi>, "'Jay D. Dyson'" <jdyson@...achery.net>, "'Bugtraq'" <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com> Subject: Re: RE: Evidence Mounts that the Vote Was Hacked we are not allowed to see log files, packet captures and pinpointing exactly who the conspirators are would be tenable at best. The fact is, the election was hacked. Look at the difference between exit polling and actual results. Discrepancies of only a few points exist in counties that use paper ballots, while in places that use black boxes the discrepancies are much more pronounced. In Pennsylvania exit polls called the state for kerry with more than a 12 point margin, in the end he won the state by less than 2%. I would also like to say that I know this not because I listened to some liberal talk show (even though I do), but because I was THERE! On election day (and the day before) I worked as a commander with the election protection coalition. We are a non-partisan group set up to do election day incident reporting. as a whole our group took calls from all fifty states, the call center I was running took calls from 4 states. I know firsthand that the election was stolen. The strangest thing is that my call center did not cover any battleground states (or swing states)... in fact, in all four states we covered the outcome was virtually assured, but still, the evidence of disenfranchisement was palpable. So, if they cheated in the states where the outcome was assured, what did they do in the battleground states? Some of the things that I saw: poll workers in minority districts in South Carolina telling people that casting a party line ballot casts a vote for president. poll workers, again in minority districts in SC, harassing voters about their choices. in texas, (e-slate), many people reported that casting a democratic party-line ballot cast a vote for George Bush as president. These are just 3 issues that occurred, we took over 2000 calls in just my call center, there were 20+ call centers across the country and as a whole we took in over 30k calls. I don't need to listen to a talk show to know there was widespread fraud, intentional disenfranchisement. They cheated. Adam Jacob Muller Where is it written in the Constitution, in what article or section is it contained, that you may take children from their parents and parents from their children, and compel them to fight the battles of any war in which the folly and wickedness of the government may engage itself? Under what concealment has this power lain hidden, which now for the first time comes forth, with a tremendous and baleful aspect, to trample down and destroy the dearest right of personal liberty? Who will show me any Constitutional injunction which makes it the duty of the American people to surrender everything valuable in life, and even life, itself, whenever the purposes of an ambitious and mischievous government may require it? . . . A free government with an uncontrolled power of military conscription is the most ridiculous and abominable contradiction and nonsense that ever entered into the heads of men. -Daniel Webster On Nov 10, 2004, at 6:29 PM, Gary Halleen ((ghalleen)) wrote: > Political commentary by a left-leaning talk show host is not worthy of > posting to this list. > > It's unfortunate the moderator allowed the posting at all. This > article > contained only opinions regarding the discrepancies between the exit > polls > and final election results. > > I'm not interested in entertaining thoughts of a group of hackers > changing > the results of an election, or of a massive conspiracy between > elections > managers manually changing Access databases, unless you can back it up > with > actual factual data. > > Show us log files, packet captures, or e-mail messages from the > conspirators > or leave this commentary to gossip columns where it belongs. > > Gary > > > > -----Original Message----- > From: Jei [mailto:jei@...hut.fi] > Sent: Tuesday, November 09, 2004 10:41 PM > To: Jay D. Dyson > Cc: Bugtraq; full-disclosure@...ts.netsys.com > Subject: Re: Evidence Mounts that the Vote Was Hacked > > On Tue, 9 Nov 2004, Jay D. Dyson wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On Mon, 8 Nov 2004, Atom 'Smasher' wrote: >> >>> Evidence Mounts that the Vote Was Hacked >> >> Read the whole thing and didn't see any evidence. Just wild >> speculation and baseless conjecture. Hell, there were countless >> counties across the nation in which more people were registered to >> vote than were eligible residents, but -- for some reason -- that >> ain't > news. > > It would be _major_ news, were it not America where it happened. > Even India managed to hold a secure digital election recently, without > any > such major exit poll or other discrepancies happening. > > Also note that Americans aren't the only people in the world with > capable > intelligence agencies. Teenage kid hackers aren't the only people who > might > influence US elections' outcomes, given a viable chance. You need to > consider all the factors. > > Digital voting needs to be as secure and reliable as bank accounts are > from > an independent (democratic) nation's national security point of view. A > digital vote discrepancy == national bank account discrepancy, in it's > importance, in this regard. > > Arguing that vote discrepancies don't really matter, is like a system > admin > arguing that system binary checksum discrepancies do not matter. > > In any case, it means you're royally f*cked, and although you may wish > to > fantasize otherwise, it doesn't change the reality. > > You need to know that you're secure, or your security people aren't > doing > their job. > > // Jei > > http://www.infosecwriters.com/hhworld/hh9/voting.txt > > Hitchhiker's World (Issue #9) > http://www.infosecwriters.com/hhworld/ > > Observable Elections > -------------------- > > Vipul Ved Prakash <mail@...ul.net> > November 2004 > > > This is an interesting time for electronic voting. India, > the largest democracy in the world, went completely paper- > free for its general elections earlier this year. For the > first time, some 387 million people expressed their > electoral right electronically. Despite initial concerns > about security and correctness of the system, the election > process was a smashing success. Over a million electronic > voting machines (EVMs) were deployed, 8000 metric tonnes of > paper saved[1] and the results made public within few hours > of the final vote. Given the quarrelsome and heavily > litigated nature of Indian democracy, a lot of us were > expecting post-election drama, but only a few, if any, > fingers were found pointing. > > Things didn't fare so well in the United States. The > Dieobold electronic machines, slated for use in many states > for the November 2004 Federal elections, turned out to have > rather large security holes. Cryptography experts, Avi Rubin > et al, did a formal analysis of the machines and found that > they could be subverted to introduce votes that were never > casted[2]. An independent government-backed analysis > confirmed this[3] and concluded that the Diebold voting > system "as implemented in policy, procedure, and technology, > is at a high risk of compromise." > > It is clear, even to a cursory observer, that Diebold > systems are sloppily designed, never mind the sloppiness is > a function of incompetence or intent. The recent controversy > from the "Black Box Voting" security advisory titled "the > Diebold GEMS central tabulator contains a stunning security > hole"[4] has added to the confusion. It claims that a code > entered at a remote location can replace the real vote count > with a fabricated one. This security hole, discovered last > year, is still not fixed says the advisory. In response, > Diebold claims that this is possible, but only in debug > mode, which does little to make people confortable. > > What is disturbing to me as a technologist is the > burgeoning public opinion that electronics is an unviable > medium for conducting the serious business of elections. > Over the last year I've seen numerous formal reports and > articles in popular press[5] equating the failures of > Diebold systems with the untenability of electronic voting. > This is rather silly. Diebold systems are not only poorly > engineered, they are also seriously flawed in design. Even > if they were immaculately bug-free, they are so far from > what electronic voting systems should be, that I have > trouble categorizing them as "voting systems". "Electronic > counters" is more accurate. > > Various augmentations have been proposed to Diebold systems; > most revolve around parallel paper trails. Verified > Voting[6] for example proposes that a vote be printed based > on the voter's touch-screen selection, so the voter can > touch, feel and verify their vote before casting it into a > traditional ballet box. These votes would then be processed > with an OCR type machine to compute a cumulative result and > the physical votes would be saved so an independent party > can verify the electronic result at a latter date. This is a > reasonable tradeoff -- after all integrity of elections is > way more important than saving trees and time. > > While this is the best recommendation for the upcoming > elections, it subtly promotes the primacy of paper and > distrust in electrons. We know that paper elections are no > more secure. The history of vote tampering in paper based > elections is quite illustrious (I'll simply refer the gentle > reader to [7]) and the reason electronics was considered in > the first place was to eliminate such tampering. Verified > Voting recommends that count of the physical votes is to be > considered superior than that of the electronic counterparts > in case of a difference. What happens if the process of this > count is tampered using traditional methods? We are back to > square one. > > The central point that I want to get across in this paper is > that the promise of electronic voting is not merely a > quicker, slightly more secure and ecologically enlightened > replacement for paper elections. Electronic voting, if > implemented correctly, could be a major qualitative leap, > not only changing the way in which we approach democratic > elections, but also the the way in which we expect a > democratic government to function. > > Cryptographic Integrity > > I want to draw attention to the work done by cryptographic > community in the last 20 years to study, formalize and solve > many of the problems of Internet Voting. This area of work > is focused on building election systems that leave behind a > trail of mathematical proofs of the integrity of the voting > process. With mathematical solutions to the common issues of > vote tampering, it becomes unnecessary to trust election > officials and it becomes possible to build voting systems > that are open and universally verifiable. > > A voting system for appointing a democratic government has > certain "ideal properties". These are rather obvious, but I > recount them for the purpose of this discussion. First, all > votes must be counted exactly like they were casted. > Altering a vote, or leaving one out from the final tally > must be impossible. Ballot stuffing, ie. artificial > injection of invalid votes must be impossible as well. The > system should reject non-eligible voters, and ensure > eligible users can cast only a single vote. And, finally, > votes must be absolutely anonymous -- even the voter should > be unable to prove the way in which they voted. Systems like > Diebold's depend on large-scale observation to uphold the > ideal properties. Large-scale observation is hard, and once > an act of tampering is done, there is little that can be > done to detect or correct it. The attacks such as the one > described by the Black Box Voting advisory are particularly > heinous, since they compromise the entire election process. > > The ideal properties are true in paper elections when they > are implemented perfectly, but the nature of paper precludes > proofs of correctness without compromising anonymity. The > problems are much the same as in the "Electronic Counter" > systems; without correctness proofs, it is largely > infeasible to detect and correct tampering. > > Cryptographers have been trying to emulate the property of > anonymity that is inherent to paper when it us used as cash > or votes. The research in the field has led to invention of > several mathematical primitives and computing systems that > not only model paper but go beyond to provide proofs of the > properties they emulate. Techniques like blind signatures, > homomorphic encryption, digital mixes and onion routing have > been used to build systems that provide strong anonymity. > > The pioneering cryptographer David Chaum introduced the > blind signature in order to build permit truly anonymous > interaction on the Internet[8]. Since then, they have been > applied to all manner of problems from untraceable > electronic cash to electronic voting schemes. Blind > signatures are a class of digital signatures that allow a > document to be signed without revealing its contents. The > effect is similar to placing a document and a sheet of > carbon paper inside an envelope. When the envelope is > signed, the signature transfers to the document and remains > on it even when the envelope is removed. > > In his paper, Chaum hinted that blind signatures could be > used for secret ballot elections. Fujioka, Okamoto, and > Ohta[9] created the first significant blind signature based > voting protocol, which made it practical to use blind > signatures in democratic elections. However, some problems > were discovered in their work, most notably the system's > vulnerablity to a corrupt election authority. I present a > system, dubbed ``Athens'', that builds on their work, but > solves several problems in their model. I also focus on a > real-world election system, rather than an Internet one, and > adopt a pragmatic approach, in that I make use of physical > resources like volunteers and physical infrastructure > usually available for large-scale democratic elections. > Athens also borrows elements and thinking from the > Sensus[10] system and David Chaum's recent work on Visual > Cryptography[11]. > > Design of Athens > > The basic procedure for conducting a democratic election is > fairly standard. The procedure has four tasks: Registration, > Validation, Collection and Tallying. In Athens, these four > tasks are carried out with a few specialized machines and > software, most of which are connected through the Internet. > While Athens employs an Election Authority to oversee the > process of elections, it does away with the dependence on > trustworthiness of one. Athens philosophy is that there are > no truly non-partisan parties; even the Election Authority > can't be completely trusted. The Athens model is closer to a > "game" between contesting parties, such that the only way to > cheat in the game is for all competitors to collude - an > axiomatic impossibility. The Election Authority performs > tactical tasks to optimize the election process, but all > tasks performed by the Authority are open to review by > competing parties. > > Registration > > Registration is the process of determining eligible voters, > and is conducted by the "Registrar" -- a distributed > authority put in place by the Election Authority. The Athens > registration process involves validating voters (through > traditional means) and registering their "Voter Public Key" > in the "Register." The corresponding "Voter Secret Key" > remains with the voter, magnetically encoded (or bar coded > for cheaper implementation) on a "Voting Card". > > The keys are generated through the "Voting Card Creator > Machine". The Card Creator Machine is also implemented as > software that can be used by a voter on their home computer. > It is not hard to imagine Card Creators installed in local > registration offices or even at Kinko's and shopping malls, > where they charge a few dollars for generating a card. > Fairness in design is important, because Card Creators could > compromise the security of the system by storing the key > pairs they generate. > > A card creator is mostly an RSA key generator - it needs > computing power of a 300 Mhz PC, and is constructed fairly > cheaply. Once the voter enters their personal information > into the machine, it spits out two cards: one with the > public key, that is handed over to the Registrar and the > other with the secret key and identification information > required by the Election Authority (like the social security > number of the voter.) The second card is known as the > "Voting Card" and is used to validate the voter at the time > of elections. Both cards also contain a large random number, > known as the Voter Id. This is used throughout the voting > process to facilitate lookups in the Register without > compromising the privacy of the voter. > > Once all voters have handed their Voter Public Key Card over > to the Registrar, the registration process is considered to > be complete. As with traditional elections, there is a cut- > off date for this process. > > On completion of registration, the Election Authority hands > the Register over to all the competitors. The competitors > then check every 1 in 1000 entries (or more according to > their capacity) to ensure that they belong to a legitimate > voter, i.e. it isn't a fake entry inserted by a corrupt > competitor to stuff the ballot. This process is woefully > lacking in elections of today, and a hence a major vector > for election fraud. Mathematics can do little to alleviate > the dangers of registering fake voters, but competitors who > depend on the correctness of the Register and raise funds > for the purpose can easily perform this task. Register > verification would be a lucrative business for independent > professional services organizations, so it is not hard to > imagine such organizations sprouting up to assume delegation > of this responsibility. > > The competitors also put the Register on the Internet before > the election so that voters can ensure their voter key is > present in all copies of the Register. When requested, each > competing party provides a digitally signed proof that the > voter is registered to vote, i.e. their key is present in > the Register. The voter, if denied the right to vote, can > take this proof to a court of law. A pre-voting verification > of eligibility limits the kind of fiasco that occurred in > Florida during the Presidential elections of 2000, where a > large number of people were denied vote. > > Validation > > In most electronic voting protocols, there exists the notion > of the "Validator" - a party that holds the Register and > validates voters during the election. In Athens, the > competing parties, that were handed a copy of the Register > in the previous step, all serve as Validators. Athens, > therefore, is a multi-validator system. It is reasonable to > assume that independents or fiscally constrained parties > would team up and have a single Validator represent them. > > Validators are connected to the Internet and run Validation > software, that accepts validation requests over a TCP port. > The Validators are firewall'ed off to accept data only from > certain IP addresses. The Electronic Voting Machines talk to > the Validators via a Proxy. EVMs could theoretically talk > directly to Validators, but the reasons for using a proxy > will become apparent later. The Proxy is operated by the > Election Authority and observed by representatives from all > competing parties. > > Validators have their own RSA key pair, the public portion > of which is published widely over the Internet. They also > maintain two lists (other than the Register). This is the > list of voters who have casted a vote and a list of > corresponding validation requests. > > Before the commencement of the election, the Election > Authority chooses a a random number which is known as the > "Election Number". The only property of this number is its > uniqueness to the election - it should not have been used in > a previous election. The Election Number is distributed to > all Validators. > > Electronic Voting Machines (EVMs) used in Athens are quite > unlike Diebold's or the ones used in the Indian elections. > Athens' EVMs are simply "agents" that vote on behalf of the > voter. Each EVM has an Id and a RSA key pair. The public > part of the EVM key is published widely over the Internet. > Communications initiated by the EVM are signed with EVMs > secret key. The elections are considered formally commenced, > when the Validators broadcast the Election Number and their > public keys to EVMs via the Proxy. > > The Athens Voting Protocol > > The voter enters a private booth and swipes their Voting > Card on the EVM. The EVM reads the secret key and the Voter > Id off the Card. The EVM has a little printer attached to > it, much like a cash register receipt printer, on which it > prints out the Voter Id. It the sends the voter Id off to > the Validators via the proxy to initiate a "voting session" > on behalf of the voter. If the voter has already casted a > vote, Validators return a "proof" of previously casted vote. > The proof and its implications are discussed a little later. > If there's no previous vote, the Validators send a positive > acknowledgment and the EVM asks the voter to cast a ballot. > The voter enters their vote using the on-screen display. The > EVM concatenates the Voter's choice with the Election Number > (EN) and the result is encrypted with a secret key (randomly > generated) using a symmetric cipher like AES. The encrypted > ballot is then blinded. At this point, the EVM has: > > [....] > > http://www.infosecwriters.com/hhworld/hh9/voting.txt > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > !DSPAM:4192c988241202110578342! > On Nov 10, 2004, at 6:29 PM, Gary Halleen ((ghalleen)) wrote: Political commentary by a left-leaning talk show host is not worthy of posting to this list. It's unfortunate the moderator allowed the posting at all. This article contained only opinions regarding the discrepancies between the exit polls and final election results. I'm not interested in entertaining thoughts of a group of hackers changing the results of an election, or of a massive conspiracy between elections managers manually changing Access databases, unless you can back it up with actual factual data. Show us log files, packet captures, or e-mail messages from the conspirators or leave this commentary to gossip columns where it belongs. Gary -----Original Message----- From: Jei [mailto:jei@...hut.fi] Sent: Tuesday, November 09, 2004 10:41 PM To: Jay D. Dyson Cc: Bugtraq; full-disclosure@...ts.netsys.com Subject: Re: Evidence Mounts that the Vote Was Hacked On Tue, 9 Nov 2004, Jay D. Dyson wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 8 Nov 2004, Atom 'Smasher' wrote: Evidence Mounts that the Vote Was Hacked Read the whole thing and didn't see any evidence. Just wild speculation and baseless conjecture. Hell, there were countless counties across the nation in which more people were registered to vote than were eligible residents, but -- for some reason -- that ain't news. It would be _major_ news, were it not America where it happened. Even India managed to hold a secure digital election recently, without any such major exit poll or other discrepancies happening. Also note that Americans aren't the only people in the world with capable intelligence agencies. Teenage kid hackers aren't the only people who might influence US elections' outcomes, given a viable chance. You need to consider all the factors. Digital voting needs to be as secure and reliable as bank accounts are from an independent (democratic) nation's national security point of view. A digital vote discrepancy == national bank account discrepancy, in it's importance, in this regard. Arguing that vote discrepancies don't really matter, is like a system admin arguing that system binary checksum discrepancies do not matter. In any case, it means you're royally f*cked, and although you may wish to fantasize otherwise, it doesn't change the reality. You need to know that you're secure, or your security people aren't doing their job. // Jei http://www.infosecwriters.com/hhworld/hh9/voting.txt Hitchhiker's World (Issue #9) http://www.infosecwriters.com/hhworld/ Observable Elections -------------------- Vipul Ved Prakash <mail@...ul.net> November 2004 This is an interesting time for electronic voting. India, the largest democracy in the world, went completely paper- free for its general elections earlier this year. For the first time, some 387 million people expressed their electoral right electronically. Despite initial concerns about security and correctness of the system, the election process was a smashing success. Over a million electronic voting machines (EVMs) were deployed, 8000 metric tonnes of paper saved[1] and the results made public within few hours of the final vote. Given the quarrelsome and heavily litigated nature of Indian democracy, a lot of us were expecting post-election drama, but only a few, if any, fingers were found pointing. Things didn't fare so well in the United States. The Dieobold electronic machines, slated for use in many states for the November 2004 Federal elections, turned out to have rather large security holes. Cryptography experts, Avi Rubin et al, did a formal analysis of the machines and found that they could be subverted to introduce votes that were never casted[2]. An independent government-backed analysis confirmed this[3] and concluded that the Diebold voting system "as implemented in policy, procedure, and technology, is at a high risk of compromise." It is clear, even to a cursory observer, that Diebold systems are sloppily designed, never mind the sloppiness is a function of incompetence or intent. The recent controversy from the "Black Box Voting" security advisory titled "the Diebold GEMS central tabulator contains a stunning security hole"[4] has added to the confusion. It claims that a code entered at a remote location can replace the real vote count with a fabricated one. This security hole, discovered last year, is still not fixed says the advisory. In response, Diebold claims that this is possible, but only in debug mode, which does little to make people confortable. What is disturbing to me as a technologist is the burgeoning public opinion that electronics is an unviable medium for conducting the serious business of elections. Over the last year I've seen numerous formal reports and articles in popular press[5] equating the failures of Diebold systems with the untenability of electronic voting. This is rather silly. Diebold systems are not only poorly engineered, they are also seriously flawed in design. Even if they were immaculately bug-free, they are so far from what electronic voting systems should be, that I have trouble categorizing them as "voting systems". "Electronic counters" is more accurate. Various augmentations have been proposed to Diebold systems; most revolve around parallel paper trails. Verified Voting[6] for example proposes that a vote be printed based on the voter's touch-screen selection, so the voter can touch, feel and verify their vote before casting it into a traditional ballet box. These votes would then be processed with an OCR type machine to compute a cumulative result and the physical votes would be saved so an independent party can verify the electronic result at a latter date. This is a reasonable tradeoff -- after all integrity of elections is way more important than saving trees and time. While this is the best recommendation for the upcoming elections, it subtly promotes the primacy of paper and distrust in electrons. We know that paper elections are no more secure. The history of vote tampering in paper based elections is quite illustrious (I'll simply refer the gentle reader to [7]) and the reason electronics was considered in the first place was to eliminate such tampering. Verified Voting recommends that count of the physical votes is to be considered superior than that of the electronic counterparts in case of a difference. What happens if the process of this count is tampered using traditional methods? We are back to square one. The central point that I want to get across in this paper is that the promise of electronic voting is not merely a quicker, slightly more secure and ecologically enlightened replacement for paper elections. Electronic voting, if implemented correctly, could be a major qualitative leap, not only changing the way in which we approach democratic elections, but also the the way in which we expect a democratic government to function. Cryptographic Integrity I want to draw attention to the work done by cryptographic community in the last 20 years to study, formalize and solve many of the problems of Internet Voting. This area of work is focused on building election systems that leave behind a trail of mathematical proofs of the integrity of the voting process. With mathematical solutions to the common issues of vote tampering, it becomes unnecessary to trust election officials and it becomes possible to build voting systems that are open and universally verifiable. A voting system for appointing a democratic government has certain "ideal properties". These are rather obvious, but I recount them for the purpose of this discussion. First, all votes must be counted exactly like they were casted. Altering a vote, or leaving one out from the final tally must be impossible. Ballot stuffing, ie. artificial injection of invalid votes must be impossible as well. The system should reject non-eligible voters, and ensure eligible users can cast only a single vote. And, finally, votes must be absolutely anonymous -- even the voter should be unable to prove the way in which they voted. Systems like Diebold's depend on large-scale observation to uphold the ideal properties. Large-scale observation is hard, and once an act of tampering is done, there is little that can be done to detect or correct it. The attacks such as the one described by the Black Box Voting advisory are particularly heinous, since they compromise the entire election process. The ideal properties are true in paper elections when they are implemented perfectly, but the nature of paper precludes proofs of correctness without compromising anonymity. The problems are much the same as in the "Electronic Counter" systems; without correctness proofs, it is largely infeasible to detect and correct tampering. Cryptographers have been trying to emulate the property of anonymity that is inherent to paper when it us used as cash or votes. The research in the field has led to invention of several mathematical primitives and computing systems that not only model paper but go beyond to provide proofs of the properties they emulate. Techniques like blind signatures, homomorphic encryption, digital mixes and onion routing have been used to build systems that provide strong anonymity. The pioneering cryptographer David Chaum introduced the blind signature in order to build permit truly anonymous interaction on the Internet[8]. Since then, they have been applied to all manner of problems from untraceable electronic cash to electronic voting schemes. Blind signatures are a class of digital signatures that allow a document to be signed without revealing its contents. The effect is similar to placing a document and a sheet of carbon paper inside an envelope. When the envelope is signed, the signature transfers to the document and remains on it even when the envelope is removed. In his paper, Chaum hinted that blind signatures could be used for secret ballot elections. Fujioka, Okamoto, and Ohta[9] created the first significant blind signature based voting protocol, which made it practical to use blind signatures in democratic elections. However, some problems were discovered in their work, most notably the system's vulnerablity to a corrupt election authority. I present a system, dubbed ``Athens'', that builds on their work, but solves several problems in their model. I also focus on a real-world election system, rather than an Internet one, and adopt a pragmatic approach, in that I make use of physical resources like volunteers and physical infrastructure usually available for large-scale democratic elections. Athens also borrows elements and thinking from the Sensus[10] system and David Chaum's recent work on Visual Cryptography[11]. Design of Athens The basic procedure for conducting a democratic election is fairly standard. The procedure has four tasks: Registration, Validation, Collection and Tallying. In Athens, these four tasks are carried out with a few specialized machines and software, most of which are connected through the Internet. While Athens employs an Election Authority to oversee the process of elections, it does away with the dependence on trustworthiness of one. Athens philosophy is that there are no truly non-partisan parties; even the Election Authority can't be completely trusted. The Athens model is closer to a "game" between contesting parties, such that the only way to cheat in the game is for all competitors to collude - an axiomatic impossibility. The Election Authority performs tactical tasks to optimize the election process, but all tasks performed by the Authority are open to review by competing parties. Registration Registration is the process of determining eligible voters, and is conducted by the "Registrar" -- a distributed authority put in place by the Election Authority. The Athens registration process involves validating voters (through traditional means) and registering their "Voter Public Key" in the "Register." The corresponding "Voter Secret Key" remains with the voter, magnetically encoded (or bar coded for cheaper implementation) on a "Voting Card". The keys are generated through the "Voting Card Creator Machine". The Card Creator Machine is also implemented as software that can be used by a voter on their home computer. It is not hard to imagine Card Creators installed in local registration offices or even at Kinko's and shopping malls, where they charge a few dollars for generating a card. Fairness in design is important, because Card Creators could compromise the security of the system by storing the key pairs they generate. A card creator is mostly an RSA key generator - it needs computing power of a 300 Mhz PC, and is constructed fairly cheaply. Once the voter enters their personal information into the machine, it spits out two cards: one with the public key, that is handed over to the Registrar and the other with the secret key and identification information required by the Election Authority (like the social security number of the voter.) The second card is known as the "Voting Card" and is used to validate the voter at the time of elections. Both cards also contain a large random number, known as the Voter Id. This is used throughout the voting process to facilitate lookups in the Register without compromising the privacy of the voter. Once all voters have handed their Voter Public Key Card over to the Registrar, the registration process is considered to be complete. As with traditional elections, there is a cut- off date for this process. On completion of registration, the Election Authority hands the Register over to all the competitors. The competitors then check every 1 in 1000 entries (or more according to their capacity) to ensure that they belong to a legitimate voter, i.e. it isn't a fake entry inserted by a corrupt competitor to stuff the ballot. This process is woefully lacking in elections of today, and a hence a major vector for election fraud. Mathematics can do little to alleviate the dangers of registering fake voters, but competitors who depend on the correctness of the Register and raise funds for the purpose can easily perform this task. Register verification would be a lucrative business for independent professional services organizations, so it is not hard to imagine such organizations sprouting up to assume delegation of this responsibility. The competitors also put the Register on the Internet before the election so that voters can ensure their voter key is present in all copies of the Register. When requested, each competing party provides a digitally signed proof that the voter is registered to vote, i.e. their key is present in the Register. The voter, if denied the right to vote, can take this proof to a court of law. A pre-voting verification of eligibility limits the kind of fiasco that occurred in Florida during the Presidential elections of 2000, where a large number of people were denied vote. Validation In most electronic voting protocols, there exists the notion of the "Validator" - a party that holds the Register and validates voters during the election. In Athens, the competing parties, that were handed a copy of the Register in the previous step, all serve as Validators. Athens, therefore, is a multi-validator system. It is reasonable to assume that independents or fiscally constrained parties would team up and have a single Validator represent them. Validators are connected to the Internet and run Validation software, that accepts validation requests over a TCP port. The Validators are firewall'ed off to accept data only from certain IP addresses. The Electronic Voting Machines talk to the Validators via a Proxy. EVMs could theoretically talk directly to Validators, but the reasons for using a proxy will become apparent later. The Proxy is operated by the Election Authority and observed by representatives from all competing parties. Validators have their own RSA key pair, the public portion of which is published widely over the Internet. They also maintain two lists (other than the Register). This is the list of voters who have casted a vote and a list of corresponding validation requests. Before the commencement of the election, the Election Authority chooses a a random number which is known as the "Election Number". The only property of this number is its uniqueness to the election - it should not have been used in a previous election. The Election Number is distributed to all Validators. Electronic Voting Machines (EVMs) used in Athens are quite unlike Diebold's or the ones used in the Indian elections. Athens' EVMs are simply "agents" that vote on behalf of the voter. Each EVM has an Id and a RSA key pair. The public part of the EVM key is published widely over the Internet. Communications initiated by the EVM are signed with EVMs secret key. The elections are considered formally commenced, when the Validators broadcast the Election Number and their public keys to EVMs via the Proxy. The Athens Voting Protocol The voter enters a private booth and swipes their Voting Card on the EVM. The EVM reads the secret key and the Voter Id off the Card. The EVM has a little printer attached to it, much like a cash register receipt printer, on which it prints out the Voter Id. It the sends the voter Id off to the Validators via the proxy to initiate a "voting session" on behalf of the voter. If the voter has already casted a vote, Validators return a "proof" of previously casted vote. The proof and its implications are discussed a little later. If there's no previous vote, the Validators send a positive acknowledgment and the EVM asks the voter to cast a ballot. The voter enters their vote using the on-screen display. The EVM concatenates the Voter's choice with the Election Number (EN) and the result is encrypted with a secret key (randomly generated) using a symmetric cipher like AES. The encrypted ballot is then blinded. At this point, the EVM has: [....] http://www.infosecwriters.com/hhworld/hh9/voting.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html !DSPAM:4192c988241202110578342! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists