\documentclass[dvipsnames,14pt,t]{beamer}+ −
\usepackage{../slides}+ −
\usepackage{../graphics}+ −
\usepackage{../langs}+ −
+ −
\setmonofont[Scale=.88]{Consolas}+ −
\newfontfamily{\consolas}{Consolas}+ −
+ −
\hfuzz=220pt + −
+ −
% beamer stuff + −
\renewcommand{\slidecaption}{SEN 02, King's College London}+ −
+ −
%Bank vs Voting+ −
%http://www.parliament.vic.gov.au/images/stories/committees/emc/2010_Election/submissions/13_VTeague_EMC_Inquiry_No.6.pdf+ −
+ −
% first cyber attack+ −
%http://investigations.nbcnews.com/_news/2013/03/18/17314818-cyberattack-on-florida-election-is-first-known-case-in-us-experts-say+ −
+ −
\newcommand{\bl}[1]{\textcolor{blue}{#1}} + −
+ −
\begin{document}+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{%+ −
\begin{tabular}{@ {}c@ {}}+ −
\\+ −
\LARGE Security Engineering (2)\\[-3mm] + −
\end{tabular}}\bigskip\bigskip\bigskip+ −
+ −
\normalsize+ −
\begin{center}+ −
\begin{tabular}{ll}+ −
Email: & christian.urban at kcl.ac.uk\\+ −
Office: & S1.27 (1st floor Strand Building)\\+ −
Slides: & KEATS (also homework is there)\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}This Course is about\\[-2mm] ``Satan's Computer''\end{tabular}}+ −
+ −
Ross Anderson and Roger Needham wrote:\bigskip+ −
+ −
\begin{bubble}[10cm]+ −
\small+ −
``In effect, our task is to program a computer which gives + −
answers which are subtly and maliciously wrong at the most + −
inconvenient possible moment\ldots{} we hope that the lessons + −
learned from programming Satan's computer may be helpful + −
in tackling the more common problem of programming Murphy's.''+ −
\end{bubble}\\[30mm]+ −
+ −
\only<2>{+ −
\begin{textblock}{11}(3.5,12)+ −
\begin{tabular}{c}+ −
\includegraphics[scale=0.12]{../pics/ariane.jpg}\\[-2mm]+ −
\footnotesize Murphy's computer+ −
\end{tabular}+ −
\begin{tabular}{c}+ −
\includegraphics[scale=0.15]{../pics/mobile.jpg}\;+ −
\includegraphics[scale=0.06]{../pics/pinsentry.jpg}\\[-2mm]+ −
\footnotesize Satan's computers+ −
\end{tabular}+ −
\end{textblock}}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Defence in Depth}+ −
+ −
\begin{center}\small+ −
\pcode{urbanc:$6$3WWbKfr1$4vblknvGr6FcDeF92R5xFn3mskfdnEn...:...}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item hashes help when password databases are leaked+ −
\item salts help with protecting against dictionary attacks+ −
and help people who have the same password on different sites\medskip+ −
+ −
\item but they do not protect against a focused attack against a single + −
password and also do not make poorly chosen passwords any better+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Subtle Points}+ −
+ −
\begin{itemize}+ −
\item in our web-application the salt needed to remain secret;+ −
in password files the salt is public\bigskip+ −
+ −
\item the NYT has the ``resource'' unlocked at first+ −
and locks it depending on the cookie data+ −
\item our ``web-application'' has the resource locked at first,+ −
and unlocks it depending on the cookie data+ −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{How to Salt?}+ −
+ −
\begin{center}\tt\small+ −
\begin{tabular}{lcl}+ −
1salt & $\Rightarrow$ & 8189effef4d4f7411f4153b13ff72546dd682c69\\+ −
2salt & $\Rightarrow$ & 1528375d5ceb7d71597053e6877cc570067a738f\\+ −
3salt & $\Rightarrow$ & d646e213d4f87e3971d9dd6d9f435840eb6a1c06\\+ −
4salt & $\Rightarrow$ & 5b9e85269e4461de0238a6bf463ed3f25778cbba\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item in Unix systems: \texttt{hash(salt + password)}, or even+ −
\texttt{hash$^{\texttt{1500}}$(salt + password)}\smallskip\pause+ −
\item Bruce Schneier in cases messages are long: \\+ −
instead of \texttt{m $\mapsto$ hash(m)},\\ use \texttt{m $\mapsto$ hash(hash(m) + m)}+ −
\end{itemize}+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large\begin{tabular}{c}User-Tracking Without Cookies\end{tabular}}+ −
+ −
Can you track a user {\bf without}:+ −
+ −
\begin{itemize}+ −
\item Cookies+ −
\item JavaScript+ −
\item LocalStorage/SessionStorage/GlobalStorage+ −
\item Flash, Java or other plugins+ −
\item Your IP address or user agent string+ −
\item Any methods employed by Panopticlick\\+ −
\mbox{}\hfill $\rightarrow$ \textcolor{blue}{\url{https://panopticlick.eff.org/}}+ −
\end{itemize}+ −
+ −
Even when you disabled cookies entirely, have JavaScript turned off and use a VPN + −
service, and also \ldots+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}+ −
\frametitle{Verizon}+ −
\mbox{}\\[-23mm]\mbox{} + −
+ −
\begin{center}+ −
\includegraphics[scale=0.21]{../pics/verizon.png}+ −
\end{center}+ −
\vfill\footnotesize+ −
\url{http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works}+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Web-Protocol}+ −
+ −
\only<1->{+ −
\begin{textblock}{1}(2,2)+ −
\begin{tikzpicture}[scale=1.3]+ −
\draw[white] (0,0) node (X) {\includegraphics[scale=0.12]{../pics/firefox.jpg}};+ −
\end{tikzpicture}+ −
\end{textblock}}+ −
+ −
\only<1->{+ −
\begin{textblock}{1}(11,2)+ −
\begin{tikzpicture}[scale=1.3]+ −
\draw[white] (0,0) node (X) {\includegraphics[scale=0.15]{../pics/servers.png}};+ −
\end{tikzpicture}+ −
\end{textblock}}+ −
+ −
\only<1->{+ −
\begin{textblock}{1}(5,2.5)+ −
\begin{tikzpicture}[scale=1.3]+ −
\draw[white] (0,0) node (X) {};+ −
\draw[white] (3,0) node (Y) {};+ −
\draw[red, ->, line width = 2mm] (X) -- (Y);+ −
\node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg}] at ($ (X)!.5!(Y) $) {};+ −
\end{tikzpicture}+ −
\end{textblock}}+ −
+ −
\only<2->{+ −
\begin{textblock}{1}(5,6)+ −
\begin{tikzpicture}[scale=1.3]+ −
\draw[white] (0,0) node (X) {};+ −
\draw[white] (3,0) node (Y) {};+ −
\draw[red, <-, line width = 2mm] (X) -- (Y);+ −
\node [inner sep=5pt,label=below:\textcolor{black}{\small ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};+ −
\node [inner sep=5pt,label=above:{\includegraphics[scale=0.15]{../pics/tvtestscreen.jpg}}] at ($ (X)!.5!(Y) $) {};+ −
\end{tikzpicture}+ −
\end{textblock}}+ −
+ −
\only<3->{+ −
\begin{textblock}{1}(4.2,11)+ −
\begin{tikzpicture}[scale=1.3]+ −
\draw[white] (0,0) node (X) {};+ −
\draw[white] (3,0) node (Y) {};+ −
\draw[red, ->, line width = 2mm] (X) -- (Y);+ −
\node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};+ −
\end{tikzpicture}+ −
\end{textblock}}+ −
+ −
\only<4->{+ −
\begin{textblock}{1}(4.2,13.9)+ −
\begin{tikzpicture}[scale=1.3]+ −
\draw[white] (0,0) node (X) {};+ −
\draw[white] (3,0) node (Y) {};+ −
\draw[red, <-, line width = 2mm] (X) -- (Y);+ −
\node [inner sep=5pt,label=below:\textcolor{black}{\small HTTP/1.1 304 (Not Modified)}] at ($ (X)!.5!(Y) $) {};+ −
\end{tikzpicture}+ −
\end{textblock}}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Today's Lecture}+ −
\begin{center}+ −
\begin{tabular}{ccc}+ −
\large online banking & \hspace{3mm}\large{}vs\hspace{3mm} & \large e-voting\\+ −
\textcolor{gray}{solved} & & \textcolor{gray}{unsolved}\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{E-Voting}+ −
+ −
\begin{bubble}[9cm]+ −
``Any electronic voting system should provide at least the same+ −
security, privacy and transparency as the system it replaces.''+ −
\end{bubble}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Voting as Security Problem}+ −
+ −
What are the security requirements of a voting system?\bigskip+ −
+ −
\begin{itemize}+ −
\item<2->Integrity + −
\item<3->Ballot Secrecy+ −
\item<5->Voter Authentication+ −
\item<6->Enfranchisement+ −
\item<7->Availability+ −
\end{itemize}+ −
+ −
\only<2>{+ −
\begin{textblock}{5.5}(8,5)+ −
\begin{bubble}[5cm]\small+ −
\begin{center}+ −
\begin{minipage}{4.5cm}+ −
\begin{itemize}+ −
\item The outcome matches with the voters' intend.+ −
\item There might be gigantic sums at stake and need to be defended against.+ −
\end{itemize}+ −
\end{minipage}+ −
\end{center}+ −
\end{bubble}+ −
\end{textblock}}+ −
+ −
\only<4>{+ −
\begin{textblock}{5.5}(8,5)+ −
\begin{bubble}[5cm]\small+ −
\begin{center}+ −
\begin{minipage}{4.5cm}+ −
\begin{itemize}+ −
\item Nobody can find out how you voted.+ −
\item (Stronger) Even if you try, you cannot prove how you voted.+ −
\end{itemize}+ −
\end{minipage}+ −
\end{center}+ −
\end{bubble}+ −
\end{textblock}}+ −
+ −
\only<5>{+ −
\begin{textblock}{5.5}(8,5)+ −
\begin{bubble}[5cm]\small+ −
\begin{center}+ −
\begin{minipage}{4.5cm}+ −
\begin{itemize}+ −
\item Only authorised voters can vote up to the permitted number of votes.+ −
\end{itemize}+ −
\end{minipage}+ −
\end{center}+ −
\end{bubble}+ −
\end{textblock}}+ −
+ −
\only<6>{+ −
\begin{textblock}{5.5}(8,5)+ −
\begin{bubble}[5cm]\small+ −
\begin{center}+ −
\begin{minipage}{4.5cm}+ −
\begin{itemize}+ −
\item Authorised voters should have the opportunity to vote.+ −
\end{itemize}+ −
\end{minipage}+ −
\end{center}+ −
\end{bubble}+ −
\end{textblock}}+ −
+ −
\only<7>{+ −
\begin{textblock}{5.5}(8,5)+ −
\begin{bubble}[5cm]\small+ −
\begin{center}+ −
\begin{minipage}{4.5cm}+ −
\begin{itemize}+ −
\item The voting system should accept all authorised votes and produce results in a timely manner.+ −
\end{itemize}+ −
\end{minipage}+ −
\end{center}+ −
\end{bubble}+ −
\end{textblock}}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Problems with Voting}+ −
+ −
\begin{center}\large+ −
\begin{tabular}{rcl}+ −
Integrity & vs. & Ballot Secrecy\bigskip\\+ −
Authentication & vs. &Enfranchisement + −
\end{tabular}+ −
\end{center}\bigskip\bigskip\pause+ −
+ −
Further constraints:+ −
+ −
\begin{itemize}+ −
\item costs+ −
\item accessibility+ −
\item convenience+ −
\item intelligibility + −
\end{itemize}+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Traditional Ballot Boxes}+ −
+ −
\begin{center}+ −
\includegraphics[scale=2.5]{../pics/ballotbox.jpg}+ −
\end{center}\pause\bigskip+ −
+ −
mechanical, but they need a ``protocol''+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}+ −
\frametitle{Motives for E-Voting}+ −
+ −
\begin{itemize}+ −
\item 76\% of pensioners in the UK vote, but only 44\% of the under-25s\bigskip+ −
\item convenience\bigskip+ −
\item speed + −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{E-Voting}+ −
+ −
\begin{itemize}+ −
\item The Netherlands between 1997 - 2006 had electronic voting+ −
machines\\ \textcolor{gray}{(hacktivists had found: they can be+ −
hacked and also emitted radio signals revealing how you voted)}+ −
+ −
\item Germany had used them in pilot studies\\ \textcolor{gray}{(in+ −
2007 a law suit has reached the highest court and it rejected+ −
electronic voting on the grounds of not being understandable by the+ −
general public)}+ −
+ −
\item UK used optical scan voting systems in a few test polls, but+ −
abandoned any wide deployment+ −
\end{itemize}+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{E-Voting}+ −
+ −
\mbox{}\\[-12mm]+ −
\begin{itemize}+ −
\item US used mechanical machines since the 30s, later punch cards,+ −
now DREs and optical scan voting machines+ −
+ −
\item Estonia used in 2007 the Internet for national elections+ −
\textcolor{gray}{(there were earlier pilot studies in other+ −
countries)}+ −
+ −
\item India uses e-voting devices since at least+ −
2003\\ \textcolor{gray}{(``keep-it-simple'' machines produced by a+ −
government owned company)}+ −
+ −
\item South Africa used software for its tallying in the 1993+ −
elections (when Nelson Mandela was elected) \textcolor{gray}{(they+ −
found the tallying software was rigged, but they were able to+ −
tally manually)}+ −
\end{itemize}+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{E-Voting in Estonia}+ −
+ −
\begin{itemize}+ −
\item worlds first general election that used internet voting (2007)+ −
\item builds on the Estonian ID card (a smartcard like CC)+ −
\item Internet voting can be used before the election (votes can be changed an+ −
unlimited amount of times, last vote is tabulated, you can even change your+ −
vote on the polling day in person)+ −
\item in the 2011 parliamentary election 24\% voted via Internet\bigskip\pause+ −
+ −
\item needs to trust the integrity of voters' computers, + −
central server components and the election staff+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
+ −
\footnotesize+ −
\lstinputlisting[language=Python,xleftmargin=0mm]{../progs/estonia.py}+ −
+ −
\begin{textblock}{5.5}(7.8,0.5)+ −
\begin{bubble}[5cm]\small+ −
from \url{https://github.com/vvk-ehk/evalimine/}+ −
\end{bubble}+ −
\end{textblock}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
E-Voting in \textbf{Theory}+ −
\small+ −
\begin{itemize}+ −
\item Alice prepares and audits a ballot, then casts an encrypted + −
ballot, which requires her to authenticate to a server.+ −
+ −
\item A bulletin board posts Alice's name and encrypted ballot. + −
Anyone, including Alice, can check the bulletin board and find her + −
encrypted vote posted.+ −
+ −
\item When the election closes, all votes are shuffled and the system produces + −
a non-interactive proof of a correct shuffling. (zero-knowledge-proofs)+ −
+ −
\item After a reasonable complaint period to let auditors check the + −
shuffling, all shuffled ballots are decrypted, and the system provides + −
a decryption proof for each decrypted ballot. (zero-knowledge-proofs)+ −
+ −
\item Perform a tally of the decrypted votes.+ −
+ −
\item An auditor can download the entire election data and verify the + −
shuffle, decryptions and tally.+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{A Brief History of Voting}+ −
+ −
\begin{itemize}+ −
\item Athenians+ −
\begin{itemize}+ −
\item show of hands+ −
\item ballots on pieces of pottery+ −
\item different colours of stones+ −
\item ``facebook''-like authorisation + −
\end{itemize}\bigskip+ −
+ −
\textcolor{gray}{problems with vote buying / no ballot privacy}\bigskip+ −
+ −
+ −
\item French Revolution and the US Constitution got things ``started'' with + −
paper ballots (you first had to bring your own; later they were pre-printed by parties)+ −
\end{itemize}+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[t]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}+ −
+ −
Security policies with paper ballots:+ −
+ −
\begin{enumerate}+ −
\item you need to check that the ballot box is empty at the start of the poll / no false bottom (to prevent ballot stuffing)+ −
\item you need to guard the ballot box during the poll until counting+ −
\item tallied by a team at the end of the poll (independent observers) + −
\end{enumerate}+ −
+ −
\begin{center}+ −
\includegraphics[scale=1.5]{../pics/ballotbox.jpg}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
\begin{frame}[c]+ −
+ −
Which security requirements do paper ballots satisfy better than voice voting?\bigskip+ −
+ −
\begin{itemize}+ −
\item Integrity+ −
\item Enfranchisement+ −
\item Ballot secrecy+ −
\item Voter authentication+ −
\item Availability+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[t]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Paper Ballots\end{tabular}}+ −
+ −
What can go wrong with paper ballots?+ −
+ −
\only<2>{+ −
\begin{center}+ −
\includegraphics[scale=0.8]{../pics/tweet.jpg}\\+ −
\footnotesize William M.~Tweed, US Politician in 1860's\\+ −
``As long as I count the votes, what are you going to do about it?''+ −
\end{center}}+ −
+ −
\only<3>{+ −
\medskip+ −
\begin{center}+ −
\begin{minipage}{10cm}+ −
{\bf Chain Voting Attack}+ −
\begin{enumerate}+ −
\item you obtain a blank ballot and fill it out as you want+ −
\item you give it to a voter outside the polling station+ −
\item voter receives a new blank ballot+ −
\item voter submits prefilled ballot+ −
\item voter gives blank ballot to you, you give money+ −
\item goto 1+ −
\end{enumerate}+ −
\end{minipage}+ −
\end{center}+ −
}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{\Large Mechanical Voting Machines}+ −
+ −
\begin{itemize}+ −
\item<1-> Lever Voting Machines (ca.~1930 - 1990)+ −
\only<1>{+ −
\begin{center}+ −
\includegraphics[scale=0.56]{../pics/leavermachine.jpg}+ −
\end{center}+ −
}+ −
\item<2->Punch Cards (ca.~1950 - 2000)+ −
\only<2>{+ −
\begin{center}+ −
\includegraphics[scale=0.5]{../pics/punchcard1.jpg}\;\;+ −
\includegraphics[scale=0.46]{../pics/punchcard2.jpg}+ −
\end{center}+ −
}+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[t]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Electronic Voting Machines\end{tabular}}+ −
+ −
\begin{center}+ −
\begin{tabular}{c}+ −
\includegraphics[scale=0.45]{../pics/dre1.jpg}\; + −
\includegraphics[scale=0.40]{../pics/dre2.jpg}\\\hline\\+ −
\includegraphics[scale=0.5]{../pics/opticalscan.jpg} + −
\end{tabular}+ −
\end{center}+ −
+ −
\only<1->{+ −
\begin{textblock}{5.5}(1,4)+ −
DREs+ −
\end{textblock}}+ −
\only<1->{+ −
\begin{textblock}{5.5}(1,11)+ −
Optical Scan+ −
\end{textblock}}+ −
+ −
\only<2>{+ −
\begin{textblock}{5.5}(0.5,14.5)+ −
\small all are ``computers''+ −
\end{textblock}}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}DREs\end{tabular}}+ −
+ −
Direct-recording electronic voting machines\\ + −
(votes are recorded for example on memory cards)+ −
+ −
typically touchscreen machines+ −
+ −
usually no papertrail+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.56]{../pics/dre1.jpg}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}+ −
+ −
Alex Halderman:+ −
+ −
\begin{itemize}+ −
\item acquired a machine from an anonymous source\medskip+ −
\item they try to keep secret the source code running the machine\medskip\pause+ −
+ −
\item first reversed-engineered the machine (extremely tedious)+ −
\item could completely reboot the machine and even install a virus that infects other Diebold machines+ −
\item obtained also the source code for other machines+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}+ −
+ −
What could go wrong?\pause \;\;Failure-in-depth.\bigskip\pause+ −
+ −
A non-obvious problem:+ −
+ −
\begin{itemize}+ −
\item you can nowadays get old machines, which still store old polls\medskip+ −
+ −
\item the paper ballot box needed to be secured during the voting until counting;+ −
e-voting machines need to be secured during the entire life-time + −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Paper Trail\end{tabular}}+ −
+ −
Conclusion:\\ Any electronic solution should have a paper trail.+ −
+ −
\begin{center}+ −
\begin{tabular}{c}+ −
\includegraphics[scale=0.5]{../pics/opticalscan.jpg} + −
\end{tabular}+ −
\end{center}\pause+ −
+ −
You still have to solve problems about+ −
voter registration, voter authentication, guarding against tampering+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting in India\end{tabular}}+ −
+ −
Their underlying engineering principle is ``keep-it-simple'':+ −
+ −
\begin{center}+ −
\begin{tabular}{c}+ −
\includegraphics[scale=1.05]{../pics/indiaellection.jpg}\;\;+ −
\includegraphics[scale=0.40]{../pics/india1.jpg}+ −
\end{tabular}+ −
\end{center}\medskip\pause+ −
+ −
Official claims: ``perfect'', ``tamperproof'', ``no need for technical improvements'' , ``infallible'' + −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{@ {}c@ {}}Lessons Learned\end{tabular}}+ −
+ −
\begin{itemize}+ −
\item keep a paper trail and design your system to keep this secure\medskip+ −
\item make the software open source (avoid security-by-obscurity)\medskip+ −
\item have a simple design in order to minimise the attack surface+ −
\end{itemize}\pause+ −
+ −
But overall, in times of NSA/state sponsored cyber-crime, e-voting is+ −
too hard with current technology.+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large Online Banking vs.~E-Voting}+ −
+ −
\begin{itemize}+ −
\item online banking: if fraud occurs you try to identify who did+ −
what (somebody's account got zero)\bigskip+ −
\item e-voting: some parts can be done electronically, but not the+ −
actual voting+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Student In-Lecture Polling}+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.3]{../pics/clicker.png}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item can guarantee anonymity+ −
\item integrity by electronic means\bigskip+ −
+ −
\item how to achieve the same in ``software''?+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Anonymity}+ −
+ −
\begin{itemize}+ −
\item anonymity through one-time pads+ −
\begin{center}+ −
\includegraphics[scale=0.3]{../pics/tan.jpg}+ −
\end{center}\bigskip\pause+ −
+ −
\item solving the problem of distribution+ −
\begin{center}+ −
\includegraphics[scale=0.3]{../pics/bulletin.jpg}+ −
\end{center}+ −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.56]{../pics/Voting1.png}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.56]{../pics/Voting2.png}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.56]{../pics/Voting3.png}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.56]{../pics/Voting4.png}+ −
\end{center}+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Unix-Style Access Control}+ −
+ −
How to do control access? In Unix you have+ −
+ −
\begin{itemize}+ −
\item users and you have groups/roles:+ −
\item some special roles: root+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Unix-Style Access Control}+ −
\small+ −
+ −
\begin{itemize}+ −
\item + −
Q: ``I am using Windows. Why should I care?'' \\ + −
A: In Windows you have similar AC:+ −
+ −
\begin{center}+ −
\begin{tabular}{l}+ −
administrators group\\ + −
\hspace{5mm}(has complete control over the machine)\\+ −
authenticated users\\+ −
server operators\\+ −
power users\\+ −
network configuration operators+ −
\end{tabular}+ −
\end{center}\medskip+ −
+ −
\item Modern versions of Windows have more fine-grained AC than Unix;+ −
they do not have a setuid bit, but have \texttt{runas} (asks for a+ −
password).\pause+ −
+ −
\item OS-provided access control can \alert{\bf add} to your security.+ −
(defence in depth)+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}+ −
+ −
+ −
\begin{center}+ −
\begin{tikzpicture}[scale=1]+ −
+ −
\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);+ −
\draw (4.7,1) node {Internet};+ −
\draw (-2.7,1.7) node {\footnotesize Application};+ −
\draw (0.6,1.7) node {\footnotesize Interface};+ −
\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};+ −
\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};+ −
+ −
\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);+ −
+ −
\draw[white] (1.7,1) node (X) {};+ −
\draw[white] (3.7,1) node (Y) {};+ −
\draw[red, <->, line width = 2mm] (X) -- (Y);+ −
+ −
\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);+ −
\end{tikzpicture}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item the idea is make the attack surface smaller and mitigate the+ −
consequences of an attack+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Weaknesses of Unix AC}+ −
+ −
Not just restricted to Unix:+ −
+ −
\begin{itemize}+ −
\item if you have too many roles (i.e.~too finegrained AC), then+ −
hierarchy is too complex\\ \textcolor{gray}{you invite situations+ −
like\ldots let's be root}\bigskip+ −
+ −
\item you can still abuse the system\ldots+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{A ``Cron''-Attack}+ −
+ −
The idea is to trick a privileged person to do something on your+ −
behalf:+ −
+ −
\begin{itemize}+ −
\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause+ −
+ −
\footnotesize+ −
\begin{minipage}{1.1\textwidth}+ −
\textcolor{gray}{the shell behind the scenes:}\\+ −
\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\+ −
+ −
\textcolor{gray}{this takes time}+ −
\end{minipage}+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{A ``Cron''-Attack}+ −
+ −
\begin{enumerate}+ −
\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ + −
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip+ −
\item root \textcolor{gray}{(does the daily cleaning)}\\+ −
\texttt{rm /tmp/*/*}\medskip\\+ −
\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ + −
\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\+ −
+ −
\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to + −
the real passwd file)}\\+ −
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\+ −
\item root now deletes the real passwd file+ −
\end{enumerate}+ −
+ −
\only<2>{+ −
\begin{textblock}{11}(2,5)+ −
\begin{bubble}[8cm]+ −
\normalsize To prevent this kind of attack, you need additional+ −
policies (don't do such operations as root).+ −
\end{bubble}+ −
\end{textblock}}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large Buffer Overflow Attacks}+ −
+ −
\begin{center}+ −
\begin{columns}[b]+ −
\begin{column}{.4\textwidth}+ −
\centering+ −
\includegraphics[scale=0.3]{../pics/barrier.jpg}\\+ −
first lecture+ −
\end{column}+ −
\begin{column}<2>{.4\textwidth}+ −
\centering+ −
\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\+ −
next week+ −
\end{column}+ −
\end{columns}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
\end{document}+ −
+ −
%%% Local Variables: + −
%%% mode: latex+ −
%%% TeX-master: t+ −
%%% End: + −
+ −