voting security use for class nov 282006

8/6/2019 Voting Security Use for Class Nov 282006

http://slidepdf.com/reader/full/voting-security-use-for-class-nov-282006 1/38

Distributed SystemsSecurity Overview

Douglas C. Sicker

Assistant Professor Department of Computer Science and InterdisciplinaryTelecommunications Program



Nov. 15, 2005Distributed Security, ECE N 5053, U

of Colo, Boulder 2

Network Security

j What we¶ll cover:

± What is network security?

± What are the goals?

± What are the threats? ± What are the solutions?

± How do they operate?

j This is a lot of info and it might take a few

reads to stick.




of Colo, Boulder 3

Network Security

j Some issues with the book«

j Assumes malicious intent as the reason for needingsecurity. ± Is this valid?

j Focus on the protocols (not surprising) ± However, the real problems with security are mostly

outside of the technical space (see the Economistarticles).

± What else should we consider?

� For example, more depth on security models, security policy,assurance, insurance, risk assessment«

± Lastly, keep in mind that even the best protocols can bemisapplied.




of Colo, Boulder 4

Network Security

j What do we seek?

± Confidentiality

± Integrity

± Availability

± Non-repudiation

± Accounting



Distributed Security and

Electronic Voting

³The Perils of Polling´, Steven Cherry,IEEE Spectrum, October 2004, pp. 34-40

ECE N 5053 Software Engineering of

Distributed SystemsUniversity of Colorado, Boulder




of Colo, Boulder 6

Background

jRead Chapter 7 in text

jRead articles from The Economist

jConsider the issues of electronic voting

jTo simplify one of your homework

problems, make a list of security issues as

you recognize them in the lecture.




of Colo, Boulder 7

Advent of electronic

voting acceptance

jWhat is ³electronic voting´ for this unit?

± Use of equipment that directly records votes

only on electronic media, such as chips,

cartridges, or disks, with no paper or other tangible form of backup

j November 2004 election

± More than 25% of U. S. Ballots will be cast

using electronic voting

j If we are ready for electronic voting, is the

technology ready for us?




of Colo, Boulder 8

Pros & Cons

jAdvantages:

± No hanging chads

± No paper ballots printed out of alignment so

that optical scanners make too many errors (the bane of Boulder County in November 2004)

jDisadvantages for 2004

± Some deployed systems had known flaws ± Some poorly tested

± Some not tested at all




of Colo, Boulder 9

Basics

jFundamental requirement for ensuring

integrity of votes

± Ability to perform an independent recount

± Reconstruct the tally if contested

jCurrent systems

± No assurance that the vote was counted at all

± No assurance counted correctly ± Some machines will fail (as they have in recent

elections)




of Colo, Boulder 10

The real issues of

security

jRequirements:

± voting machines must be robustly reliable

± independently verifiable counts

jUnfortunately, it may be a harder problemthan is appreciated by those who developed

products in use

jDavid Chaum is working on it ... ± cryptographer

± more later




of Colo, Boulder 11

Vision Document

problem statement

The problem of [d escribe the problem]

affects [ the stakehol d ers affected by the

problem]

the impact of

which is

[what is the impact of the

problem?]

A successful

solution would be

[ list some key benefits of a

successful solution]




of Colo, Boulder 12

Let¶s stop and list

requirements

jWhat are some characteristics of elections?

± early voting

± absentee voting

± election day

± what else?




of Colo, Boulder 13

Are there standards in

place?

jYes and no

± Many installed for 2004 election complied with

federal guidelines

± obsolete ... from 1990 ± A lot of legislation since then at state and

federal level ± not all systems comply




of Colo, Boulder 14

Domain challenges

jElections run individually by each state

jState and local officials responsible for

choosing and deploying equipment

± not skeptical enough of manufacturers¶ claims

± sometimes rejected advice of engineers and

specialists

j If states are willing to buy and federalgovernment is willing to give money to do

so ...




of Colo, Boulder 15

State differences

jSome states choose voting equipment at the

state level

jSome leave it up to counties or even smaller

municipalitiesjLots of decision makers leads to variety of

decisions made

jSome other countries with electronic votingmade the choice at the national level. See

any problems with that?




of Colo, Boulder 16

Partially vs. wholly

electronic

jPartially electronic systems

± Paper ballot to be optically scanned like

standardized tests

± Scanners count ± If contested, ballots can be rescanned or

counted by hand

jWholly electronic

± Store the vote digitally, not on paper




of Colo, Boulder 17

Accu-Vote-TSX

example

j Touch-screen system made by Diebold Incj Voter signs in at the polling station and receives

an activated card similar to modern hotel-room³key´

j Voter inserts it into machine and makes selections

j When voter touches ³Cast Vote´, vote is recordedon hard disk, access card is deactivated ± voter cannot vote a 2nd time

j Accu-Vote machine has built-in printer to recordvote totals when polls close

j Accu-Vote machine has a modem for optionalencryption and transmission of vote totals




of Colo, Boulder 18

80 % of the market

jDiebold

jElection Systems & Software, Inc.

jSequoia Voting Systems, Inc.




of Colo, Boulder 19

Advantages of

Electronic Voting

jMachines can be programmed to keep the

voter from voting for two candidates for a

single office

jText on the screen can be read by voice-synthesis software

jOther features




of Colo, Boulder 20

Current disadvantages

jEarly-generation equipment was flawed

jHard for local governments to keep track

jShifting cast of companies

jTesting is time-consuming

jCertification requirements can¶t keep up

j New machines, many workers are

volunteers with short term training

appropriate for a 1 or 2-day job




of Colo, Boulder 21

Examples of

problems

j 2002 a Florida gubernatorial (governor) primary ± in two counties, some of the new equipment would not

boot in time for the start of the election

j 2003, Boone County, Indiana

± 5,352 voters ± 144,000 votes reported

j 2004 primaries in California ± catastrophesthroughout the state across wide variety of

different machines ± San Diego County ± some opened 4 hrs late

± Some Diebold machines spontaneously rebooted presenting Microsoft Windows generic screen insteadof ballot




of Colo, Boulder 22

Reliability Concerns

j The Diebold spontaneous reboot problem ± Voter access card encoders

± Power switches had faults that drained them of battery power

j In northern Alameda County, 1 in 5 Dieboldencoders had similar problems

j Hearings held, California Sec¶y of State KevinShelley released a report charging

± Diebold marketed, sold, and installed AccuVotesystems in Kern, San Diego, San Joaquin, and Solanocounties

± prior to full testing and federal qualification

± without complying with state certification requirements




of Colo, Boulder 23

Reliability

Consequences

j April 30, Calif Sec¶y of State withdrew approvalfor all direct-recording electronic voting systemsin California ± State required nearly 16,000 AccuVote machines in the

4 counties to be recertified ± this time, complying with tighter security and

auditability measures or

± replaced with optically scanned balloting in time for the November election

j Based on your knowledge of software, what arethe implications of complying with newrequirements within a tight deadline?




of Colo, Boulder 24

Other problems

j Installation of uncertified components andcoverup of malfunctioning products

± Earlier in 2004, ³a June 2003 ES&S memo

came to light that indicated flaws in theauditing software for a $24.5 million

installation of its iVotronic voting machines in

Miami-Dade County´

± ES&S also manufactured voting systems previously used in Venezuela that suffered a

6% malfunction rate in actual use.




of Colo, Boulder 25

Elsewhere

j Ireland scuttled plans to use electronic voting inlocal and European parliamentary elections in

June 2004

± partly over concerns about lack of independent

auditability

± constant software updates from the vendors* ± software

could not be reviewed in time

j Same vendor ( Nedap NV) made some of its online

e-voting software** available as open source

± Won¶t compile and run

± What else?




of Colo, Boulder 26

Physical security

j 1 % of Fairfax County, Virginia¶s newWI Nvote touch-screen machines (Advanced

Voting Solutions)

± repaired outside the polling place ± returned and put back into use

± with broken or removed security seals

± in apparent violation of state law




of Colo, Boulder 27

Distributed systems

bandwidth issue

j Again, Fairfax

± About half of the vote totals (not the national election)

couldn¶t be electronically transmitted

± System flooded itself with messages

± They had inadvertently designed in their own denial of

service attack on the server

j A number of machines apparently subtracted votes

at random from the Republican school board

candidate (Rita Thompson) resulting in a possible

miscount of 1 to 2 percent of her votes ± close to

the margin by which she lost the election.




of Colo, Boulder 28

Warnings

j Web site for Arlington County told poll workerswhat to do if ± the voting machine freezes during boot-up

± master unit does not ³pick up´ one of the units in the

polling place when opening the polls ± when closing, ³if tally fails to pick up a machine´

j Jeremy Epstein, an information-security expert,attended a pre-election training session

± submitted a 3-page list of questions to Fairfax officials ± then electoral board sec¶y couldn¶t respond on the

grounds that ³release of that information could jeopardize the security of that voting equipment´

± treat that as a requirement ...




of Colo, Boulder 29

Complexity is generally

not understood

j ³Here are the candidates, pick one´

± What other situations occur?

jAnonymity is a potentially bigger problem

± Requirements?




of Colo, Boulder 30

Complexity continued

j Independent verifiability

± California audits elections by requiring 1% of all paper ballots be manually recounted whether or

not an election is contested

± Requirements?

± Focus on adding paper back into the process

� Requirements re paper ballot?

± California: newly purchased direct-recording must

have accessible, voter-verified paper audit trail

� retrofit required for existing ones by July 2006




of Colo, Boulder 31

Complexity summary

jThe vote

± Complexity of selection possibilities

± Count correctly

± Robust hardware and software

± Accurate LA N

communication at polling place ± Accurate WA N communication to central

server, if used

jETC

± how to verify electronic votes ± how to test electronic voting hw and sw

± how to maintain security and integrity




of Colo, Boulder 32

Without voter-verified

paper audit trail

jCertification process necessary

± Compliance verification

± Is the system in place, the one that was

certified? ± Current federal guidelines (2002) don¶t require

digital signature to track software from

certification to installation to end of voting day

j IEEE Standards Association formed a

working group on voting stand ar d s




of Colo, Boulder 33

Design questionj Is it possible to provide sufficient auditability without

paper ± Consider electronic funds transactions

± Encryption techniques

j David Chaum, cryptographer

± Lets election officials post electronic ballots to theinternet

± Voters can check that their votes were included in theelection tally

± Still needs paper but his electronic tallies are as reliableas a count of paper ballots

± Still provides voter anonymity

± Great, right?




of Colo, Boulder 34

Suppose all crypto-

graphy issues settled ...

j If all mathematical problems are solved,what remains?

jVoting is a complicated social phenomenonand the solution must be perceived sociallyto be a solution.

± Machines need to be physically secure before,

during, after ± Workers well trained, able to deal with

technological problems that can occur




of Colo, Boulder 36




of Colo, Boulder 37

Chaum¶s approach




of Colo, Boulder 38

Distributed System

Issues?

In addition to the security issues you listed, whatdistributed system issues do we have to address to have an

acceptable system?

voting security use for class nov 282006

Documents