Security Issues Facing Online Voting

SystemsJoe HernandezMEIA

CS-6910Dr. Chow

OverviewSecurity of Remote Online Voting [1]

Two Case StudiesTroubles faced by each electionCryptographic Foundations

Blind Ballot using Public Key Cryptography (PKC)Voting Protocol using PKCBlind Ballot using Public Key Infrastructure (PKI)Modified Voting Protocol using PKI

Technology Risks Facing Online VotingElection Risk & SecuritySuggested security measures for online

voting

Paper ReviewThe Security of Remote Online Voting [1]Paper Discusses two cases of Internet Voting

Arizona Democratic Party Election in 2000 Student Council Elections @ University of

VirginiaThe internet will solve typical voting problems

Eliminate “Hanging Chad” Speed up counting processEliminate lengthy recountsIncrease voter turnoutGuarantee the intent of the voter (simplify

voting)

Case Studies2000 Arizona Democratic Primary

First major use of internet voting A legally binding political electionConsidered a “Private” election Not subject to voting standardsContracted out to election.comVendor claimed success (financial

motivation)

Many things went wrong!!

What went wrong?Failed to head warnings from Tech ExpertsVoters forgot, lost, received wrong PIN #’s Violated “Secret Ballot” by assigning PINsMinority access to internet/computers Computer/Browser compatibility issuesSite down for an hour on election dayNo customer service / limited help desk

supportMultiple lawsuits filedViolated 1965 Voting Rights ActBelief security was “Airtight”Used proprietary encryption algorithm

Case StudyUniversity of Virginia Student Council Elections

Small, simple, successfulPaper ballots not effectiveEase of Internet access among campus population Minimal hardware/software necessaryEase of authentication with a small population

Similar problems to Arizona Election

What went wrong here?Believed in community of “Trust”Servers crashed within minutes of the electionStudent information was publically available

Making it easy to hijack someone's voteVotes were not encrypted in transmissionStudents restricted from voting

Based on departmentOverseas students could not voteBased on “Class Status” determined by credit

hoursAlphabetical ordering of candidates

Student’s on top appeared to be favoredFundamental tradeoff between security and

convenience

Cryptographic FoundationsOnline voting depends upon Public Key

CryptographyDiffe-Hellman public key exchange 1976

Changed cryptography foreverAllows for two people to generate a secret key

RSA allowed for use of two keys (Public & Private)RSA also allows for digital signature of messages

PKC used for Authentication and ConfidentialityMakes (theoretical) online voting possibleCan be used to generate “Blind Ballots”Blind Ballots – Voters right to keep vote private

Blind Ballot using PKC

Message(M)

M * r

BlindingFactor

(r)

EKR (M*r)

BlindedDoc

(M * r)

Notary’sSignature

(KR)

SignedBlinded

DocEKR (M*r)

Divide byBlindingFactor

(r)

EKR (M*r)

SignedMessageEKR (M)

Is something wrong with this method

Is message/vote truly blinded?

Voter received a PIN DuringRegistration

PIN

Blinded BallotAnd PIN

Sent to Validator

PIN DatabaseRegistration

Server

Validates VotersPin Signs Ballot &

Sends back to Voter

Blinded BallotSigned by Validator

Voter removes blindingAnd passes signed ballotTo tallier anonymously*

EKR (M*r) + PIN EKV(EKR (M*r))

EKV(M)

ValidatedVote tallied

Modified Blind Ballot using PKI

Message(M)

EEPK(M)

Election PublicKey (EPK)

EPK (M) + PIN

Encrypted VoteEPK(M)

(Blinded)

Voters PINFrom Registration

Process

(EVPK ((EEPK (M) + PIN))

Validators Public Key (VPK)

Vote blinded from ValidatorConfidentiality and Integrity

Provided between voter and Validator

Modified Voting Protocol

EncryptedBlinded Ballot

With PIN

PIN Database

Decrypts & Validates Vote, Removes PIN

Signs Ballot with Private KeySends to Voter

Database Blinded BallotSigned by Validator

(EVPK ((EEPK (M) + PIN))

ValidatedVotes tallied

(Must have ElectionPrivate Key)

VoteDatabase

Voting DatabaseSigned Blinded Ballot Entered Into Database

(EVPRK (EEPK (M)))

(EVPRK (EEPK (M)))

Is PIN Valid

Comparison of electionsArizona Election

• Large scale election• Traditional methods-Status Quo• Legally binding• Internet not available to

everyone• Lawsuits filled• Some voters could not vote• Large target audience (State)• Authorization req. Registration• Large political target for hackers• Undisclosed funds spent• Security a major concern • Trust a major issue!!• Considered a failure

University of Virginia • Small scale election• Traditional methods to costly• Not legally binding • Everyone had internet access• No legal requirements• Voters unable to vote• Small targeted group (Campus)• Authorization via Registration• Small target for hackers (No gain)• Managed in house by IT Dep.• Trade security for convenience• Trust within community!!• Considered a success

Technology Risks for Online VotingSecurity Risks associated with Online Voting

Internet is still a very insecure mediumSpyware, Malicious Code, Botnets, Hackers, Oh My!!!Spam – Bogus e-mails or links to Bogus Voter WebsitesPoorly developed applicationsDistribute / Denial of Service Attacks (DOS / DDOS) Physical attacks possible Insider threat, intentional or unintentional

Rarely a brute force attack against crypto algorithms

Election Risk & Security

Election Risk / Criticality of Outcome

Secu

rity

Mea

sure

s

$$$$

$Student

Council Election

University Official

State/NationalCommittee

State/Federal Official

PresidentialElection

CIA TriadLowModerateHighOff The Hook

City PublicOfficial

1 2 3 4

Trust in technology/internetTechnology & Internet is part of our culture

Ease of Internet Access Online BankingOnline Sales – Amazon etc.Use of ATMs

290,000 ATMs in US – 1999 14.9 Billion Transactions - 1998

Debit/Credit CardsAirline Tickets on you Cell phone – Approved by the TSA!

http://www.google.com/publicdata?ds=wb-wdi&met_y=it_net_user_p2&idim=country:USA&dl=en&hl=en&q=internet+usage+statistics

Zone 1 - SecurityThings to consider

Keep it simple!Utilize SSLEstablish Secure Web Site/ServerEnforce strong username & passwordsKeep systems patched and anti virus/spyware

currentApply applicable STIGs from DISA or NSAEliminate unnecessary applications/software (harden

system)Use available tools to scan for vulnerabilities before

electionBackup your website and your data (daily) keep data

secure Limit your exposure - open website during voting

hours onlyPossible use of a firewall or host system at a secure

site if $$ allow

$ - Low CIA - Low Legal - None

Zone 2 - SecurityThings to consider

Zone 1 security requirementsFirewall / DMZHost base Intrusion Detection SystemPublic Key CryptographyAuthentication, Authorization, Accountability (AAA)Redundant systems Alternate / Backup siteInternal review/certification (NIST 800-53 / Low-

Moderate) Consider Web Site Security (OWASP Top 10)Requires individual registration issuing of PIN #s

$$ - Moderate

CIA - Moderate

Legal - Possible

Web App Security RisksThe OWASP Top 10 Web Application Security Risks for 2010: A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards

Zone 3 - SecurityThings to consider

Zone 2 security requirementsIndependent registration systemEnhanced firewalls

Deep Packet InspectionIntrusion Detection / Prevention Systems VPNsEnd-to-End Encryption (PKC/PKI)Cryptographic Authentication for Officials Penetration testingIndependent certification/Review (NIST 800-53 /

Moderate-High) Functional and Compatibility TestingLegal review – Ensure compliance with applicable laws

$$$ - High CIA - High Legal – State/Federal

DMZ

Zone 4 - SecurityThings to consider

Zone 3 security requirementsMultiple Independent Operating Locations High Availability & Redundancy Distributed across the Enterprise DOS/DDOS Detection/Reaction, and Redirection of Authorized

TrafficMultiple Linked Online Intrusion Detection / Prevention Systems Enterprise monitoring /Management

(networks/servers/databases...) Private/Dedicated encrypted networks compliant with FIPS 140-2Heavy use of PKI & End-to-End EncryptionMultiple Independent certifications/Reviews (NIST 800-53 / High) Federal/States Legal review – Ensure compliance with applicable

laws

$$$$ - Very High

CIA – High + AAA

Legal – Federal/State

ConclusionIssues facing Online Voting are enormous Internet continues to be insecure mediumInsecurity is across the board-clients, applications,

networks…Insecurity seems to be increasingTrust across the community is lackingIssues range from Technical to Administrative through LegalProblems persist, new ones arise, old ones are not fixedSmall scale voting seems to be far more successfulCryptographic techniques exist to support Online VotingFurther research into multiple online voting areas still

needed

Sources

[1] The Security of Remote Online Voting - Thesis Daniel Rubin, School of Engineering and Applied Science

University of Virginia