sen-material: comparison handouts/ho02.tex

equal deleted inserted replaced

-:01fe5aba8781
+:7807863c4196
 In security engineering, there are many counter-intuitive
 phenomena: for example I am happy (more or less) to use online
 banking every day, where if something goes wrong, I can
 potentially lose a lot of money, but I am staunchly against
-using electronic voting (lets call it e-voting for short).
+using electronic voting (let's call it e-voting for short).
 E-voting is an idea that is nowadays often promoted in order
 to counter low turnouts in elections\footnote{In my last local
 election where I was eligible to vote only 48\% of the
 population have cast their ballot. I was, I shamefully admit,
 one of the non-voters.} and generally sounds like a good idea.
 scale of Turing's halting problem, which is proved that it can
 never be solved in general, but more in the category of being
 unsolvable with current technology. This is not just my
 opinion, but also shared by many security researchers amongst
 them Alex Halderman, who is the world-expert on this subject
-and from whose course on Securing Digital Democracy I have
+and from whose Coursera course on Securing Digital Democracy I
-most of my information and inspiration. It is also a
+have most of my information and inspiration. It is also a
 controversial topic in many countries:
 \begin{itemize}
 \item The Netherlands between 1997--2006 had electronic voting
 machines, but ``hacktivists'' had found they can be
 polls, but to my knowledge does not use any e-voting in
 elections.
 \item The US used mechanical machines since the 1930s, later
 punch cards, now DREs and optical scan voting machines.
+But there is a lot of evidence that DREs and optical
+scan voting machines are not as secure as they should
+be.
 \item Estonia used since 2007 the Internet for national
 elections. There were earlier pilot studies for voting
 via Internet in other countries.
 always have an error rate: people after several hours
 looking at ballots will inevitably miscount votes. But
 what should be ensured is that the error rate does not
 change the outcome of the election. Of course if
 elections continue to be on knives edges we need to
-ensure that we have a rather small error rate.
+strive for rather small error rates.
 \item There might be gigantic sums at stake and need to be
 defended against. The problem with this is that if
 the incentives are great and enough resources are
 available, then maybe it is feasible to mount a DoS
-attack against voting server and by bringing the
+attack against the voting server and by bringing the
 system to its knees, change the outcome of an
 election. Not to mention to hack the complete
 system with malware and change votes undetectably.
 \end{itemize}
 cannot vote. While this sounds an innocent
 requirement, in fact some parts of the population for
 one reason or another just do not have driving
 licenses. They are now excluded. Also if you insist on
 paper ballots you have to have special provisions for
-blind people. Otherwise they cannot vote.
+blind people. Otherwise they too cannot vote.
 \end{itemize}
 \item {\bf Availability}
 \begin{itemize}
 \item The voting system should accept all authorised votes
 \end{center}
 \noindent If we had ballots with complete voter
 identification, then we can improve integrity because we can
 trace back the votes to the voters. This would be good when
-verifying the results or recounting. But such an
+verifying the results or when recounting. But such an
 identification would violate ballot secrecy (you can prove to
 somebody else how you voted). In contrast, if we remove all
 identification for ensuring ballot secrecy, then we have to
 ensure that no ``vote-stuffing'' occurs. Similarly, if we
-improve authentication by requiring a to be present at the
+improve authentication by requiring to be present at the
 polling station with an ID card, then we exclude absentee
 voting.
 To tackle the problem of e-voting, we should first have a look
 into the history of voting and how paper-based ballots
 evolved. Because also good-old-fashioned paper ballot voting
 is not entirely trivial and immune from being hacked. We know
 for sure that elections were held in Athens as early as 600
 BC, but might even date to the time of Mesopotamia and also in
-India some kind of ``republics'' might have existed before the
+India some kind of republics might have existed before the
 Alexander the Great invaded it. Have a look at Wikipedia about
 the history of democracy for more information. These elections
 were mainly based on voting by show of hands. While this
 method of voting satisfies many of the requirements stipulated
 above, the main problem with hand voting is that it does not
 guaranty ballot secrecy. As far as I know the old Greeks and
 Romans did not perceive this as a problem, but the result was
 that their elections favoured rich, famous people who had
 enough resources to swing votes. Even using small coloured
-stones did not really mitigate the problem with ballot
+stones, which were also used at that time, did not really
-secrecy. The problem of authorisation was solved by friends or
+mitigate the problem with ballot secrecy. The problem of
-neighbours vouching for you to prove you are eligible to vote
+authorisation was solved by friends or neighbours vouching for
-(there were no ID cards in ancient Greece and Rome).
+you to prove you are eligible to vote (there were no ID cards
+in ancient Greece and Rome).
 Starting with the French Revolution and the US constitution,
-people started to value a more egalitarian approach to voting
+people began to value a more egalitarian approach to voting
 and electing officials. This was also the time where paper
 ballots started to become the prevailing form of casting
 votes. While more resistant against voter intimidation, paper
 ballots need a number of security mechanisms to avoid fraud.
-For example you need voting booths to fill out the ballot in
+For example you need voting booths for being able to fill out
-secret. Also transparent ballot boxes are often used in order
+the ballot in secret. Also transparent ballot boxes are often
-to easily detect and prevent vote stuffing (prefilling the
+used in order to easily detect and prevent vote stuffing
-ballot box with false votes).
+(prefilling the ballot box with false votes).
 \begin{center}
 \includegraphics[scale=2.5]{../pics/ballotbox.jpg}
 \end{center}
 \noindent Another security mechanism is to guard the ballot
 box against any tampering during the election until counting.
 The counting needs to be done by a team potentially involving
-also independent observers. One interesting attack against
+also independent observers.
-completely anonymous paper ballots is called \emph{chain vote
-attack}. It works if the paper ballots are given out to each
+One interesting attack against completely anonymous paper
-voter at the polling station. Then an attacker can give the
+ballots is called \emph{chain vote attack}. It works if the
-prefilled ballot to a voter. The voter uses this prefilled
+paper ballots are given out to each voter at the polling
-ballot to cast the vote, and then returns the empty ballot
+station. Then an attacker can give the prefilled ballot to a
-back to the attacker who now compensates the voter. The blank
+voter. The voter uses this prefilled ballot to cast the vote,
-ballot can be reused for the next voter.
+and then returns the empty ballot paper back to the attacker who now
+compensates the voter. The blank ballot can be reused for the
-The point is that paper ballots have evolved over some time
+next voter.
+To sum up, the point is that paper ballots have evolved over some time
 and no single best method has emerged for preventing fraud.
 But the involved technology is well understood in order to
 provide good enough security with paper ballots.
 \subsection*{E-Voting}
 provide at least the same security, privacy and transparency
 as the system it replaces.''
 \end{quote}
 \noindent Whenever people argue in favour of e-voting they
-seem to be ignore this basic premise.\bigskip
+seem to be ignoring this basic premise.\bigskip
 \noindent After the debacle of the Florida presidential
-election in 2000, many counties used Direct-Recording
+election in 2000, many voting precincts in the US used
-Electronic voting machines (DREs) or optical scan machines.
+Direct-Recording Electronic voting machines (DREs) or optical
-One popular model of DRE was sold by the company called
+scan machines. One popular model of DREs was sold by a
-Diebold. In hindsight they were a complete disaster: the
+company called Diebold. In hindsight they were a complete
-products were inferior and the company incompetent. Direct
+disaster: the products were inadequate and the company
-recording meant that there was no paper trail, the votes were
+incompetent. Direct recording meant that there was no paper
-directly recorded on memory cards. Thus the voters had no
+trail, the votes were directly recorded on memory cards. Thus
-visible assurance whether the votes were correctly cast. The
+the voters had no visible assurance whether the votes were
-machines behind these DREs were ``normal'' windows computers,
+correctly cast. Even if there is a printout provided;
-which could be used for anything, for example for changing
+it does not give any guaranty about what is recorded on
-votes. Why did nobody at Diebold think of that? That this was
+the memory card.
-eventually done undetectably is the result of the
-determination of ethical hackers like Alex Halderman. His
+The machines behind these DREs were ``normal'' windows
-group thoroughly hacked them showing that election fraud is
+computers, which could be used for anything, for example for
-easily possible. They managed to write a virus that infected
+changing votes. Why did nobody at Diebold think of that? I
-the whole system by having only access to a single machine.
+have no idea. But that this was eventually done undetectably
+is the result of the determination of ethical hackers like
+Alex Halderman. His group thoroughly hacked Diebold's DREs
+showing that election fraud with them is easily possible. They
+even managed to write a virus that infected the whole system
+by having only access to a single machine.
 \begin{figure}[t]
 \begin{center}
 \begin{tabular}{c}
 \includegraphics[scale=0.45]{../pics/dre1.jpg}\;
 \caption{Direct-Recording Electronic voting machines above;
 an optical scan machine below.\label{machines}}
 \end{figure}
 What made matters worse was that Diebold tried to hide their
-incompetency and inferiority of their products, by requiring
+incompetency and the inferiority of their products, by
-that election counties must not give the machines up for
+requiring that election counties must not give the machines up
-independent review. They also kept their source secret.
+for independent review. They also kept their source secret.
-This meant Halderman and his group had to obtain a machine
+This meant Halderman and his group had to obtain a machine not
-not in the official channels. Then they had to reverse
+through the official channels. They then had to reverse
-engineer the source code in order to design their attack.
+engineer the source code in order to design their attack. What
-What this all showed is that a shady security design is no
+this all showed is that a shady security design is no match to
-match to a determined hacker.
+a determined hacker.
 Apart from the obvious failings (for example no papertrail),
 this story also told another side. While a paper ballot box
 need to be kept secure from the beginning of the election
 (when it needs to be ensured it is empty) until the end of the
 day, electronic voting machines need to be kept secure the
-whole year. The reason is of course one cannot see whether
+whole year. The reason is of course that one cannot see
-somebody has tampered with the program a computer is running.
+whether somebody has tampered with the program a computer is
-Such a 24/7 security costly and often even even impossible,
+running. Such a 24/7 security is costly and often even
-because voting machines need to be distributed usually the day
+impossible, because voting machines need to be distributed
-before to the polling station. These are often schools where
+usually the day before the election to the polling stations.
-the voting machines are kept unsecured overnight. The obvious
+These are often schools where the voting machines are kept
-solution of putting seals on computers also does not work: in
+unsecured overnight. The obvious solution of putting seals on
-the process of getting these DREs discredited (involving court
+computers did not work: in the process of getting these DREs
-cases) it was shown that seals can easily be circumvented. The
+discredited (involving court cases) it was shown that seals
-moral of this story is that election officials were
+can easily be circumvented. The moral of this story is that
-incentivised with money by the central government to obtain
+election officials were incentivised with money by the central
-new  voting equipment and in the process fell prey to pariahs
+government to obtain new voting equipment and in the process
-which sold them a substandard product. Diebold was not the
+fell prey to pariahs which sold them a substandard product.
-only pariah in this project, but one of the more notorious
+Diebold was not the only pariah in this area, but one of the
-one.
+more notorious ones.
 Optical scan machines are slightly better from a security
 point of view but by no means good enough. Their main idea
 is that the voter fills out a paper ballot, which is then
 scanned by a machine. At the very least the paper ballot can
 \noindent An interesting solution for e-voting was designed in
 India. Essentially they designed a bespoke voting device,
 which could not be used for anything else. Having a bespoke
 device is a good security engineering decision because it
-makes the attack surface smaller. If you have a full-fledged
+makes the attack surface much smaller. If you have a
-computer behind your system, then you can do everything a
+full-fledged computer behind your system, then you can do
-computer can do\ldots{}that is a lot, including a lot of
+everything a computer can do\ldots{}and that is a lot,
-abuse. What was bad that these machines did not have the
+including a lot of abuse. What was bad about the devices in
-important paper trail: that means if an election was tampered
+India was that these machines did not have the important paper
-with, nobody would find out. Even if they had by their bespoke
+trail: that means if an election was tampered with, nobody
-design a very small attack surface, ethical hackers were still
+would find out. Even if they had by their bespoke design a
-able to tamper with them. The moral with Indian's voting
+very small attack surface, ethical hackers were still able to
-machines is that even if very good security design decisions
+tamper with them. The moral with Indian's voting machines is
-are taken, e-voting is very hard to get right.\bigskip
+that even if very good security design decisions are taken,
+e-voting is very hard to get right.\bigskip
 \noindent This brings us to the case of Estonia, which held in
 2007 the worlds first general election that used Internet.
-Again their solution made some good choices: for example
+Again their solution made some good choices: for example voter
-voter authentication is done via the Estonian ID card,
+authentication is done via the Estonian ID card, which
-which contains a chip like credit cards. They also made most
+contains a chip like on credit cards. They also made most of
-of their source code public for independent scrutiny. Of
+their source code public for independent scrutiny. Of course
-this openness means that people (hacker) will look at your
+this openness means that people (hackers) will look at your
-fingers and find code such as
+fingers and find code such as this snippet.
 {\footnotesize\lstinputlisting[language=Python,numbers=none]
 {../progs/estonia.py}}
-\noindent which can be downloaded from their github
+\noindent If you want to have a look their code can be
+downloaded from their github
 repository.\footnote{\url{https://github.com/vvk-ehk/evalimine/}}
 Also their system is designed such that Internet voting is
 used before the election: votes can be changed an unlimited
-amount of times, the last vote is tabulated, you can even
+amount of times, always the last vote is tabulated, you can
-change your vote on the polling day in person. This is an
+even change your vote on the polling day in person. This is an
 important security mechanism guarding against vote coercion,
 which of course is an important problem if you are allowed to
 vote via Internet.
 However, the weak spots in any Internet voting system are the
 voters' computers and the central server. Unfortunately, their
 system is designed such that they needs to trust the integrity
 of voters’ computers, central server components and also the
-election staff. In 2014, group of independent observers around
+election staff. In 2014, a group of independent observers around
 Alex Halderman were able to scrutinise the election process in
 Estonia. They found many weaknesses, for example careless
 handling of software updates on the servers. They also
 simulated an election with the available software and were
 able to covertly manipulate results by inserting malware on
 \end{center}
 \noindent This brings us to the question, what could be a
 viable electronic voting process in
 \underline{\textbf{\emph{theory}}} with current technology?
-In the literature one can find proposals such as
+In the literature one can find proposals such as this one:
 \begin{enumerate}
 \item Alice prepares and audits some ballots, then casts an
 encrypted ballot, which requires her to authenticate to
 a server.
 board and find her encrypted vote posted. This is to
 make sure the vote was received by the server.
 \item When the election closes, all votes are shuffled and the
 system produces a non-interactive proof of a correct
-shuffling. Correct in the sense that one cannot determine
+shuffling---correct in the sense that one cannot determine
 anymore who has voted for what. This will require a
-zero-knowledge-proof based shuffling procedure.
+shuffling procedure based on zero-knowledge-proofs.
-\item After a reasonable complaint period to let auditors
+\item After a reasonable complaint period, let auditors
 check the shuffling, all shuffled ballots are decrypted,
 and the system provides a decryption proof for each
 decrypted ballot. Again this will need a
 zero-knowledge-proof-type of method.
 data and verify the shuffle, decryptions and tally.
 \end{enumerate}
 \noindent As you can see the whole process is not trivial at
 all and leaves out a number of crucial details (such as how to
-best distribute public keys). It even depends on a highly
+best distribute public keys for encryption). It even depends
-sophisticated process called \emph{zero-knowledge-proofs}.
+on a highly sophisticated process called
-They essentially allow one to convince somebody else to know
+\emph{zero-knowledge-proofs}. They essentially allow one to
-a secret without revealing what the secret is. This is a kind
+convince somebody else to know a secret without actually
-of cryptographic ``magic'', like the Hellman-Diffie protocol
+revealing what the secret is. This is a kind of cryptographic
-which can be used to establish a secret even if you can only
+``magic'', like the Hellman-Diffie protocol which can be used
-exchange postcards with your communication partner. We will
+to establish a secret even if you can only exchange postcards
-look at zero-knowledge-proofs in a later lecture in more
+with your communication partner. We will look at
-detail.
+zero-knowledge-proofs in a later lecture in more detail.
 The point of these theoretical/hot-air musings is to show that
 such an e-voting procedure is far from convenient: it takes
 much more time to allow, for example, for scrutinising whether
 the votes were cast correctly. Very likely it will also not
 the Internet cannot be made secure with current technology.
 Voting has just too high demands on integrity and ballot
 secrecy. This is different from online banking where the whole
 process is designed around authentication. If fraud occurs,
 you try to identify who did what (somebody’s account got zero;
-somewhere the money went). Even if there might be even more
+somewhere the money went). Even if there might be more
 gigantic sums at stake in online banking than with voting,
 it can be solved. That does not mean there are no problems
 with online banking. But with enough thought, they can
 usually be overcome with technology we have currently. This
 is different with e-voting: even the best have not come
 up with something workable yet.
 This conclusion does not imply that in some special cases
-Internet voting cannot be made to work securely. Just in a
+of Internet voting cannot be made to work securely. Just in a
 general election where stakes are very high, it does not work.
 For example a good-enough and workable in-lecture online
 voting system where students' votes are anonymous and students
 cannot tamper with the outcome, I am sure, can be implemented.
 \bigskip

changeset 227	7807863c4196
parent 199	20af800ce736
child 276	d7109c6e721d