31 a ``secure way'' seems to be one of the things in computer |
31 a ``secure way'' seems to be one of the things in computer |
32 science that are still very much unsolved. It is not on the |
32 science that are still very much unsolved. It is not on the |
33 scale of Turing's halting problem, which is proved that it can |
33 scale of Turing's halting problem, which is proved that it can |
34 never be solved in general, but more in the category of being |
34 never be solved in general, but more in the category of being |
35 unsolvable with current technology. This is not just my |
35 unsolvable with current technology. This is not just my |
36 opinion, but also shared by many security researchers amogst |
36 opinion, but also shared by many security researchers amongst |
37 them Alex Halderman, who is the world-expert on this subject |
37 them Alex Halderman, who is the world-expert on this subject |
38 and from whose course on Securing Digital Democracy I have |
38 and from whose course on Securing Digital Democracy I have |
39 most of my information and inspiration. It is also a |
39 most of my information and inspiration. It is also a |
40 controversial topic in many countries: |
40 controversial topic in many countries: |
41 |
41 |
93 |
93 |
94 \item There might be gigantic sums at stake and need to be |
94 \item There might be gigantic sums at stake and need to be |
95 defended against. The problem with this is that if |
95 defended against. The problem with this is that if |
96 the incentives are great and enough resources are |
96 the incentives are great and enough resources are |
97 available, then maybe it is feasible to mount a DoS |
97 available, then maybe it is feasible to mount a DoS |
98 attack agains voting server and by bringing the |
98 attack against voting server and by bringing the |
99 system to its knees, change the outcome of an |
99 system to its knees, change the outcome of an |
100 election. Not to mention to hack the complete |
100 election. Not to mention to hack the complete |
101 system with malware and change votes undetectably. |
101 system with malware and change votes undetectably. |
102 \end{itemize} |
102 \end{itemize} |
103 |
103 |
137 |
137 |
138 \item {\bf Availability} |
138 \item {\bf Availability} |
139 \begin{itemize} |
139 \begin{itemize} |
140 \item The voting system should accept all authorised votes |
140 \item The voting system should accept all authorised votes |
141 and produce results in a timely manner. If you move |
141 and produce results in a timely manner. If you move |
142 an election online, you have to guard agains DoS |
142 an election online, you have to guard against DoS |
143 attacks for example. |
143 attacks for example. |
144 \end{itemize} |
144 \end{itemize} |
145 \end{itemize} |
145 \end{itemize} |
146 |
146 |
147 \noindent While these requirements seem natural, the problem |
147 \noindent While these requirements seem natural, the problem |
174 Alexander the Great invaded it. Have a look at Wikipedia about |
174 Alexander the Great invaded it. Have a look at Wikipedia about |
175 the history of democracy for more information. These elections |
175 the history of democracy for more information. These elections |
176 were mainly based on voting by show of hands. While this |
176 were mainly based on voting by show of hands. While this |
177 method of voting satisfies many of the requirements stipulated |
177 method of voting satisfies many of the requirements stipulated |
178 above, the main problem with hand voting is that it does not |
178 above, the main problem with hand voting is that it does not |
179 guaranty ballot secrecy. As far as I know the old greeks and |
179 guaranty ballot secrecy. As far as I know the old Greeks and |
180 romans did not perceive this as a problem, but the result was |
180 Romans did not perceive this as a problem, but the result was |
181 that their elections favoured rich, famous people who had |
181 that their elections favoured rich, famous people who had |
182 enough resources to swing votes. Even using small coloured |
182 enough resources to swing votes. Even using small coloured |
183 stones did not really mitigate the problem with ballot |
183 stones did not really mitigate the problem with ballot |
184 secrecy. The problem of authorisation was solved by friends or |
184 secrecy. The problem of authorisation was solved by friends or |
185 neighbours vouching for you to prove you are elegible to vote |
185 neighbours vouching for you to prove you are eligible to vote |
186 (there were no ID cards in ancient Greece and Rome). |
186 (there were no ID cards in ancient Greece and Rome). |
187 |
187 |
188 Starting with the French Revolution and the US constitution, |
188 Starting with the French Revolution and the US constitution, |
189 people started to value a more egalitarian approach to voting |
189 people started to value a more egalitarian approach to voting |
190 and electing officials. This was also the time where paper |
190 and electing officials. This was also the time where paper |
263 |
263 |
264 What made matters worse was that Diebold tried to hide their |
264 What made matters worse was that Diebold tried to hide their |
265 incompetency and inferiority of their products, by requiring |
265 incompetency and inferiority of their products, by requiring |
266 that election counties must not give the machines up for |
266 that election counties must not give the machines up for |
267 independent review. They also kept their source secret. |
267 independent review. They also kept their source secret. |
268 This meant Halderman and his group had to obatain a machine |
268 This meant Halderman and his group had to obtain a machine |
269 not in the official channels. Then they had to reverse |
269 not in the official channels. Then they had to reverse |
270 engineer the source code in order to design their attack. |
270 engineer the source code in order to design their attack. |
271 What this all showed is that a shady security design is no |
271 What this all showed is that a shady security design is no |
272 match to a determined hacker. |
272 match to a determined hacker. |
273 |
273 |
305 |
305 |
306 \noindent An interesting solution for e-voting was designed in |
306 \noindent An interesting solution for e-voting was designed in |
307 India. Essentially they designed a bespoke voting device, |
307 India. Essentially they designed a bespoke voting device, |
308 which could not be used for anything else. Having a bespoke |
308 which could not be used for anything else. Having a bespoke |
309 device is a good security engineering decision because it |
309 device is a good security engineering decision because it |
310 makes the attack surface smaller. If you have a fullfledged |
310 makes the attack surface smaller. If you have a full-fledged |
311 computer behind your system, then you can do everything a |
311 computer behind your system, then you can do everything a |
312 computer can do\ldots{}that is a lot, including a lot of |
312 computer can do\ldots{}that is a lot, including a lot of |
313 abuse. What was bad that these machines did not have the |
313 abuse. What was bad that these machines did not have the |
314 important paper trail: that means if an election was tampered |
314 important paper trail: that means if an election was tampered |
315 with, nobody would find out. Even if they had by their bespoke |
315 with, nobody would find out. Even if they had by their bespoke |
351 handling of software updates on the servers. They also |
351 handling of software updates on the servers. They also |
352 simulated an election with the available software and were |
352 simulated an election with the available software and were |
353 able to covertly manipulate results by inserting malware on |
353 able to covertly manipulate results by inserting malware on |
354 the voters' computers. Overall, their recommendation is |
354 the voters' computers. Overall, their recommendation is |
355 to abandon Internet voting and to go back to an entirely |
355 to abandon Internet voting and to go back to an entirely |
356 paper-based voting process. In face of state-sponsered |
356 paper-based voting process. In face of state-sponsored |
357 cyber-crime (for example NSA), Internet voting cannot be made |
357 cyber-crime (for example NSA), Internet voting cannot be made |
358 secure with current technology. They have a small video |
358 secure with current technology. They have a small video |
359 clip with their findings at |
359 clip with their findings at |
360 |
360 |
361 \begin{center} |
361 \begin{center} |
399 all and leaves out a number of crucial details (such as how to |
399 all and leaves out a number of crucial details (such as how to |
400 best distribute public keys). It even depends on a highly |
400 best distribute public keys). It even depends on a highly |
401 sophisticated process called \emph{zero-knowledge-proofs}. |
401 sophisticated process called \emph{zero-knowledge-proofs}. |
402 They essentially allow one to convince somebody else to know |
402 They essentially allow one to convince somebody else to know |
403 a secret without revealing what the secret is. This is a kind |
403 a secret without revealing what the secret is. This is a kind |
404 of cryptographiv ``magic'', like the Hellman-Diffie protocol |
404 of cryptographic ``magic'', like the Hellman-Diffie protocol |
405 which can be used to establish a secret even if you can only |
405 which can be used to establish a secret even if you can only |
406 exchange postcards with your communication partner. We will |
406 exchange postcards with your communication partner. We will |
407 look at zero-knowledge-proofs in a later lecture in more |
407 look at zero-knowledge-proofs in a later lecture in more |
408 detail. |
408 detail. |
409 |
409 |