Table of Contents s561

TABLE OF CONTENTS

1.  INTRODUCTION

2.  HISTORY

3.  DEFINITION

3.1  Electronic Voting System

3.2  Design of Direct Recording Elections (DRE) Machines

4.  SYSTEM OVERVIEW

4.1  How the System Works

5.  PURPOSE OF THE SYSTEM

6.  SECURITY CRITERIA

7.  VULNERABILITIES

7.1  Technical Vulnerabilities

7.1.1  Computer Code

7.1.2  Connection to other computers

7.1.3  Auditing Transparency

7.2  Social Vulnerabilities

7.2.1  Policy

7.2.2  Procedures

7.2.3  Personnel

8.  KINDS OF ATTACKS AND ATTACKERS

8.1  Potential Attackers

8.2  A Generic Attack

8.3  Kinds of Attacks

9.  DEFENSE

9.1  Goals of Defense

9.1.1  Protection

9.1.2  Detection

9.1.3  Reaction

9.2  Elements of Defense

9.2.1  Personnel

9.2.2  Technology

9.2.3  Operations

9.3 Tradeoffs

10.  CONCLUSION

11.  NEWS UPDATES

12.  GLOSSARY

13.  WORKS CITED

1. INTRODUCTION

Elections are at the heart of the democratic form of government and providing sufficient security for them is therefore critical to the proper functioning of a democracy. With significant U.S federal funds now available to replace outdated punch card and mechanical voting system, municipalities and states throughout the U.S. are adopting paperless electronic voting systems from a number of different vendors. The voting system must also be tamper-resistant to thwart a wide range of attacks, including ballot stuffing by voters and incorrect tallying by insiders. Another important consideration, as shown by the so-called “butterfly ballots” in the Florida 2000 presidential election, is the importance of human factors. A voting system must be comprehensible to and usable by the entire voting population, regardless of age, infirmity, or disability. Providing accessibility to such a diverse population is an important engineering problem and one where, if other security is done well, electronic voting could be a great improvement over current paper systems. Flaws in any of these aspects of a voting system, however, can lead to indecisive or incorrect election results.
Our analysis will show that this voting system is far below the most minimal security standards applicable in other contexts.
1) We will identify several problems including unauthorized privilege escalation, incorrect use of cryptography, defense, threats, and vulnerabilities to network.
2) We will show that voters, without any insider privileges can cast unlimited votes without being detected by any mechanisms within the voting terminal software.
3) Even the most serious of our outsider attacks, the usual worries about insider threats are not the only concerns; outsiders can also do damages.
4) We will demonstrate that the insider threats is also considerable, showing that not only can an insider, such as a poll worker modify the votes, but that insiders can also violate voter privacy and match votes with the voters who cast them.
2. HISTORY

For the last 40 years, Californians have primarily voted on mechanical voting equipment using paper ballots that require the voter to either punch a hole in a card to indicate a vote selection, or to mark the ballot with a marking device. After the polls were closed, these ballots were collected from polling places and brought to a central location for counting. In February of 2002 a federal judge ordered that all pre-scored punch card voting equipment be replaced not later than January 1, 2004. This order requires Alameda, Los Angeles, Mendocino, Sacramento, San Bernardino, San Diego, Santa Clara, Shasta, and Solano counties, home to 56% of the state’s voters, to convert to new voting systems.

As a result of the Florida 2000 presidential election, the inadequacies of widely used punch card voting systems have become well understood by the general population. This has led to increasingly widespread adoption of “direct recording electronic” (DRE) voting systems. DRE systems, generally speaking, completely eliminate paper ballots from the voting process.

In the United State 31% can electronic vote. Electronic voting systems have been around for more than two decades, but the big surge came after the Florida election fiasco in 2000. In 2002, Congress passed the Help America Vote Act, which provided $3.9 billion in federal money to help counties buy new voting systems.

Much of that money has gone into electronic voting systems, which are now used in 675 counties with 48.4 million registered voters, nearly 31 percent of the electorate.

The systems promised many benefits. With no paper ballots, they would eliminate confusion over misplaced check marks or incomplete punches.

With touch screens or simple dials and buttons, they allowed people with disabilities to vote in private, without an election worker doing it for them. They made it easy to produce ballots in multiple languages in areas with large immigrant populations. Votes would be counted much faster.

But in the rush to buy the systems, problems have cropped up, some of them due to system failures and some due to lack of sufficient training of election workers.

There have been foul-ups and malfunctions in California and Florida. Computer scientists who studied some systems found security flaws.

3. DEFINITION

An electronic voting system is a voting system in which the election data is recorded, stored and processed primarily as digital information.

3.1 Electronic Voting Systems

There have been several studies on using computer technologies to improve elections. These studies caution about the risks of moving too quickly to adopt electronic voting machines because of the software engineering challenges, insider threats, network vulnerabilities, and the challenges of auditing.

The most fundamental problem with such a voting system is that the entire election hinges on the correctness, robustness, and security of the software within the voting terminal. Should that code have security relevant flaws, they might be exploitable either by unscrupulous voters or by malevolent insiders. Such insiders include election officials, the developers of the voting system, and the developers of the embedded operating system on which the voting system runs. If any party introduces flaws into the voting system software or takes advantage of pre-existing flaws, then the results of the election cannot be assured to accurately reflect the votes legally cast by the voters.

3.2 Design of Direct Recording Electronic (DRE) Machines

This type of machine, the newest entry in applying computer techniques to voting, is an electronic implementation of the lever-machine concept. This system type is currently used by slightly more than two and one-half percent of U.S. registered voters.

As with a lever machine, there is no ballot; the possible choices are visible to the voter on the front of the machine. The voter directly enters choices into electronic storage in the machine with the use of a touch-screen, or pushbuttons, or similar devices. If an alphabetic keyboard is provided with the voter-choice entry device, write-in possibilities are significantly eased.

The voter's choices are stored in the machine and summed there with all other voters' choices. At the close of polls, summaries from all machines are then combined to yield final results. (If the machine simply produces a ballot to be reviewed by the voter for correctness, and then the ballots are tallied to produce the final count, the machine cannot be categorized as DRE.)

The determination of the number of individual DRE machines required at a particular location requires the same type of considerations as for lever machines. As a DRE machine essentially consists of a voter-choice entry station and a computer to summarize choices, an implementation using several voter-choice entry devices and one computer is possible. In the latter system, several voters simultaneously use individual entry devices to record their votes. Votes are summarized in a single computer installation that serves all such devices at the precinct.

As with lever machines, overvotes are prevented on DRE machines, but undervotes are permissible. In a typical machine, the voter's choices are entered into a temporary storage unit. The storage unit controls a display, visible only to the voter, of the choices made. With this feedback, the voter is given some reason to believe that the desired choices have been entered correctly into the temporary storage, but no independent proof can be provided to the voter that the choices have, in fact, been entered correctly for the purpose of summarizing those choices with all others to produce vote totals.

4. SYSTEM OVERVIEW

First of all, the voting terminals must be installed at each voting location. In common usage, we believe the voting terminals will be distributed without a ballot definition (encoded as the file election, where all election data is stored in database) pre-installed.

4.1 How the System Works

Once the voting terminal is initialized with the ballot definitions, and the election begins, voters are allowed to cast their votes. To get started, however, the voter must have a voter card. The voter card is a smartcard; it is a credit card sized plastic card with a computer chip on it that can store data and, in the case of the smartcard, perform computation of voters vote.

The voter takes the voter card and inserts it into a smartcard reader attached to the voting terminal. The terminal checks that the smartcard in its reader is a voter card and, if it is, presents a ballot to the voter on the terminal screen. The actual ballot the voter sees may depend on the voter’s political party, which is programmed on the voter card. If a ballot cannot be found for the voter’s party, the voter is given a neutral ballot.

The voter interacts with the voting terminal, touching the appropriate boxes on the screen for his/her desired candidates. Before the ballots are committed to storage in the terminal, the voter is given a final chance to review his/her selections. If the voter confirms this, the vote is recorded on the voting terminal and the voter card is “canceled.” This final step is intended to prevent the voter from voting again with the same card. After the voter finishes voting, the poll worker take the voter card from the voter and gets it ready for the next voter.

5. PURPOSE OF THE SYSTEM

Do we need electronic voting system?

a.  They could lead to increased voter turnout (USA 2001: 59%, 18-24 yrs: 39%), thus supporting democratic process.

b.  They could give elections new potential (by providing ballots in multiple languages, accommodating lengthy ballots, facilitate early and absentee voting, etc.) thus patterned democratic process.

c.  They could open a new market, thus supporting the commerce and the employment.

With the above history, the focus of the research will be to design and implement a system for electronic voting system that allows for keeping the integrity of elections while utilizing technology for counting, speed, efficiency, and security standards. With these points in mind, the goals of the research will be to:

I) Develop an easy to use client side program

a.  That will help all voters cast their vote

b.  Maintain a high level of security to avoid voter fraud

c.  Allow for checking and affirming the votes that are being made

II) Develop a server

a. That allows for quick reports / updates pre and post election utilizing databases

b. Handles large scale voting requests using queuing methods

c. Maintain a high level of security to avoid voter fraud

III) Develop a dynamic voter registration system to allow for the enfranchisement of more individuals

6. SECURITY CRITERIA

Ø  Authentication: Only authorized voters should be able to vote.

Operator authentication. All people authorized to administer an election must gain access with nontrivial authentication mechanisms. Fixed passwords are generally not adequate. There must be no trapdoors , for example, for maintenance and setup that could be used for operational subversions. Some other type of authentication scheme is necessary, such as a biometric or token approach, although even those schemes themselves have recognized vulnerabilities.

Ø  Uniqueness: No voter should be able to vote more than once.

Ø  Accuracy: Voting systems should record the votes correctly.

System accountability. All internal operations must be monitored, without violating voter confidentiality. Monitoring must include votes recorded and votes tabulated, and all system programming and administrative operations such as pre- and post-election testing. All attempted and successful changes to configuration status (especially those in violation of the static system integrity requirement) must be noted. Furthermore, monitoring must be nonbypassable --- it must be impossible to turn off or circumvent. Monitoring and analysis of audit trails must themselves be nontamperable. All operator authentication operations must be logged.

Ø  Integrity: Votes should not be able to be modified without detection.

System integrity. The computer systems (in hardware and system software) must be tamperproof. Ideally, system changes must be prohibited throughout the active stages of the election process. That is, once certified, the code, initial parameters, and configuration information must remain static. No run-time self-modifying software can be permitted. End-to-end configuration control is essential. System boot load must be protected from subversion that could otherwise be used to implant Trojan horses. (Any ability to install a Trojan horse in the system must be considered as a potential for subverting an election.) Above all, vote counting must produce reproducibly correct results. It can be enhanced by the use of locally nonmodifiable read-only and once-writable memories, particularly for system programs and preset configuration data, respectively.

Data integrity. All data involved in entering and tabulating votes must be tamperproof. Votes must be recorded correctly.

Ø  Verifiability: Should be possible to verify that votes are correctly counted for in the final tally.

Ø  Audibility: There should be reliable and demonstrably authentic election records.

Ø  Reliability: Systems should work robustly, even in the face of numerous failures.

System reliability. System development (design, implementation, maintenance, etc.) should attempt to minimize the likelihood of accidental system bugs and malicious code.

System availability. The system must be protected against both accidental and malicious denials of service, and must be available for use whenever it is expected to be operational.

Correctness is a mythical beast. In reliable systems, a probability of failure of 10**(-4) or 10**(-9) per hour may be required. However, such measures are too weak for voting systems. For example, a one-bit error in memory might result in the loss or gain of 2**k votes (for example, 1024 or 65,536). Ideally, numerical errors attributable to hardware and software must not be tolerated, although a few errors in reading cards may be acceptable within narrow ranges. Efforts must be made to detect errors attributable to the hardware through fault-tolerance techniques or software consistency checks. Any detected but uncorrectable errors must be monitored, forcing a controlled rerun. However, a policy that permits any detected inconsistencies to invalidate election results would be very dangerous, because it might encourage denial-of-service attacks by the expected losers. Note also that any software-implemented fault-tolerance technique is itself a possible source of subversion.