Gail Watt
Sat, 18 Nov 2000 23:57:25 -0800
Dear Dr. Gerck, First of all, my use of the word "nonchalant" (in the Swedish version I wrote, the word was "lättsinnig" which is not quite so aggressive) was unfortunate and I apologize for that. However, I would like to comment as below. >> I must say I was surprised at the nonchalance with which SafeVote >> handled some of the security issues in the link presented here on >> our e-democracy list: http://www.safevote.com/tech.htm : "Of >> course, in a real election we would not release any information >> that could facilitate either type of attack -- network or data. We >> understand that such an strategy can be accomplished even with open >> source software and open peer review of protocols since, for >> example, we may not reveal which algorithm is being used for >> encryption (from a known list of certified algorithms). In a real >> election we would also not reveal which range of IP numbers is >> being used, and other configuration data." What I mean is that >> a voting system security that is dependent on knowing or not >> knowing these sorts of details is totally without value because an >> analysis of a systems security must begin assume these facts are >> known (if by no other way, an employee of SafeVote can spread >> them.) > >Gail: > >Thanks for calling this opinion to my attention and thank you for >doing it in public as well. > >Mr. Sjödin simply forgot to include the beginning of the paragraph, >with a reference, which provides a context completely different from >his unfounded inference. > >This is the whole paragraph, from that URL at http://www.safevote.com/tech.htm : > > Why are we releasing this information? For several reasons, as we > explain in the October 2000 > issue of the newsletter The Bell, page 3. Of course, in a real > election we would not release any > information that could facilitate either type of attack -- network > or data. We understand that such > an strategy can be accomplished even with open source software and > open peer review of protocols > since, for example, we may not reveal which algorithm is being used > for encryption (from a known list > of certified algorithms). In a real election we would also not > reveal which range of IP numbers is being > used, and other configuration data. *************** COMMENTS ******************************* The quote above that Mr. Gerck objects was very briefly written and clearly open to several interpretations. Let me expand. As far as I can see SafeVote's scheme is a serious proposal and deserves to be taken seriously and further analysed. We at SICS has not currently tried to do such an analysis. My comment however was not meant as a comment on the technical merits of their suggestions but was a comment in the context of my posting dealing with the relation of technical solutions and political consequences thereof. *************************************************************** BACKGROUND (to avoid misinterpretation, this is not something that I expect SafeVote to disagree with). PRINCIPLE 1. Any piece of information in a system, even if supposedly secret, must be assumed known to an attacker unless proven otherwise. This may seem like an overly strict requirement but it has been forced upon us through hard-won experience. Thus, in order to be allowed to say that keeping some information secret *really* buys us more security we need two proofs. One to demonstrate that the information really is unavailable and another one to show that this unavailability increases the security. On the other hand, there is the tempting conclusion of this principle that would say that unless proven unobtainable by an attacker there is no reason to keep information secret. This does not follow and let us instead formulate another principle. PRINCIPLE 2. Unless there is a specific reason, information that could be used by an attacker should be kept secret. Note that there often are specific reasons for keeping information known, for instance that as many people as possible should be given the chance to analyse possible weaknesses of the system. Now, the fact that the first principle is the overriding one and that the second one is more a kind of ``belts and braces'' principle is quite often not understood. People not familiar with the pitfalls of computer security have a tendency to think that keeping information secret automatically makes a system more secure. It *might* do so, and that is the reason why it may be good idea to do it, but there are too many examples where it hasn't and then only given a false sense of security. *************************************************************** Now I will turn to the case at hand, that of trying to hide the ``range of IP numbers [that] is being used, and other configuration data''. I cannot offhand think of any specific reason to publish that information so by the second principle one should indeed try to keep that information hidden. HOWEVER, THE KEY QUESTION IS WHETHER WE CAN SATISFY THE REQUIREMENTS OF THE FIRST PRINCIPLE. This seems much less clear. It is clear that some information about these parameters would, during the process, be made available outside of the system controlled by SafeVote. For instance the IP-number used for a particular communication would be available at least to the outside party opening the communication and to possible eavesdroppers. This does not mean that it cannot be proven that keeping the information hidden in the way SafeVote proposes would give us extra security. However, the way I see it, it would need to be proven. *************************************************************** Finally, as I said in my posting, I think it is imperative that the decision to use a particular voting system in a public election should be an informed one. Thus, it is the civic duty of those possessing the knowledge to understand the security aspects of such systems to inform the public. The formulation I quoted runs, in my opinion, the risk of reinforcing the misunderstanding that keeping things secret automatically increases security rather than attempting to dispel it. I am not in any way saying that that has been the intent of SafeVote but I still think it is an unfortunate phrasing. Best regards, Gunnar Sjödin ---------- LIST INFO ----------------------------------- För att sluta prenumerera, skicka tomt e-post till [EMAIL PROTECTED] Webbarkiv: http://www.mail-archive.com/e-demokrati@mailinglist.statskontoret.se/