Re: electronic ballots
At 1:01 PM -0500 2/4/2001, John Kelsey wrote: -BEGIN PGP SIGNED MESSAGE- At 11:02 PM 1/27/01 -0500, William Allen Simpson wrote: ... "Arnold G. Reinhold" wrote: There are a lot of reasons why open source is desirable, but it does simply the job for an attacker. I disagree. Security by obscurity is never desirable. Right. This is doubly important in this application, where the big threat is insider fraud. The people we're really worried about doing some kind of large-scale fraud are the ones being trusted to man voting stations, transport ballots, count votes, and certify elections. Outsiders who've read through the source code looking for buffer overflow bugs aren't likely to have the access needed to mount an attack. I feel like I am being quoted out of context here. I was not suggesting closed source, but proposing a new type of compiler that produce obfuscated object code under a key. This could make an attackers job more difficult, particularly in the narrow time window of an election. In the attack model I am addressing, the people who man the voting stations would be supplied with malware tools based on just such an analysis of the source code. Under my scheme they could not rely knowing the exact object code they will encounter. The compilation key or keys would be published after the election, allowing the object code used in the field to be compared with the source. At 10:38 AM -0800 2/4/2001, David Honig wrote: On Banning Video Cameras From Voting Places The voting apparatus may keep a serial record of each vote, in order, for auditing purposes. This is also mentioned in WAS's legislative text. Now, if an evil vote buyer had someone recording who entered which booth and also had access to the audit records, the correlation lets them buy or blackmail votes. Note that this requires only *one* conspirator if that conspirator is a poll worker with a concealed camera. One doesn't need a concealed camera. There is nothing to stop a poll watcher from keeping written notes of the time when each voter votes. In fact, here in Massachusetts the election officials are required to call out the name of each voter when they get their ballots and when they turn them in. Arnold Reinhold
Re: electronic ballots
At 05:28 PM 1/25/01 -0600, (Mr) Lyn R. Kennedy wrote: On Thu, Jan 25, 2001 at 01:03:49PM -0500, William Allen Simpson wrote: I've been working with Congresswoman Lynn Rivers on language for electronic ballots. My intent is to specify the security sensitive information, and encourage widespread implementation in a competitive environment. We'd like feedback. It seems that something like a smartcard would be the best scheme. The card would have to be able to encrypt the vote and sign it. An observer would need an additional card to sign votes. This would allow a voter to vote from almost anywhere and coercion could be defeated by going to another place and voting in front of an observer. But that would only work if you distribute cards to voters, which gets awfully close to creating a national identity card. Also, a smartcard is easily transferred from one person to another, so votebuying becomes convenient and automated - especially if you don't have passphrases, or if you write them on the card. If you limit use to authorized polling places, you could put the voter's picture on the card to reduce that problem, but that increases the privacy problems. Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Re: electronic ballots
William Allen Simpson wrote: -BEGIN PGP SIGNED MESSAGE- I've been working with Congresswoman Lynn Rivers on language for electronic ballots. My intent is to specify the security sensitive information, and encourage widespread implementation in a competitive environment. We'd like feedback. I suggest you take a look at: 1. Sixteen requirements for voting. The requirements are technologically neutral and can be applied to paper, electronic or Internet systems. There is an extensive discussion of alternatives, before the requirements are summarized. Available at http://www.thebell.net/archives/thebell1.7.pdf , page 3. 2. Talk to Assemblyman Kevin Shelley (D, CA) , who proposed an Online Voting Modernization Act this January. Contact through [EMAIL PROTECTED] 3. Talk to Assemblyman John Longville (D, CA), who chaired the California Legislative Hearing on Elections this Jan/16-17. 4. My testimony to the California Legislative Hearing on Elections, available in a verbatiom copy from the tapes, at http://www.mail-archive.com/tech@ivta.org/msg00104.html Cheers, Ed Gerck
Re: electronic ballots
At 01:03 PM 1/25/01 -0500, William Allen Simpson wrote: -BEGIN PGP SIGNED MESSAGE- I've been working with Congresswoman Lynn Rivers on language for electronic ballots. My intent is to specify the security sensitive information, and encourage widespread implementation in a competitive environment. We'd like feedback. Fun topic. Some comments: You should list the desirable properties of a voting system and then the threats to those properties. Put it on the table for everyone to see; you're gonna have to educate them in security analysis. A list of goals might look like: One man, one vote Need no skills (eg literacy), just claim Right, state address, sign name No coercion Anonymity in voting One-time Commit (can't change your mind) (NB Absentee balloters from home will be subject to domestic coercion, but there's little you can do if the spouse is that controlling.) You introduce lots of extra tracking numbers, which is a threat to anonymity. Perhaps it is to defend the one-man-one-vote desirable property against double-voting attacks, but are those congresscritters aware of this tradeoff? Suggestion: You should also sketch a system, and maybe a 'use case'. Is the goal to let absentee voters use a PC from home? Or to use State PCs transparently? Or to use State PCs as an excuse to change election procedures? (I don't mean to be hostile here.) In fact, what do you expect to gain? Faster results for CNN? That is said to skew elections. More accuracy? Derived from what? In fact, you may lose: The user interface may be worse --displays lack paper's contrast, and pressing lettered keys or using a mouse is beyond some voters. It can be better ---using the 'radio button' concept to exclude voting for more than one--- but it takes careful design and experiment. Its not clear to me if dig certs are being used in your plans to authenticate voters to voting machines; or to authenticate voting-machines to state databases. Or both. In my state, we use handsignatures, only, to authenticate voters. How do you convince Joe Sixpack that the magic numbers he uses, and which are linked to his person/residence, aren't linked to his vote? When you put cards in a box you achieve quasi-anonymity "that you can see". How do you do this with opaque computers? How do you avoid a 'traffic analysis'-like attack where you monitor both the votes sent out to state DB servers and who comes out of the booth? This would only work on slow polling places, but would let you link people to their votes. A solution is to batch. Maybe not worth worrying about, but never a problem before networked computer voting machines. At which points in the system would a hacked-keyboard (like the keystroke recording things that go in-line, but one that changes votes) be detected? (D) UNIFORMITY -- Display of candidates shall be substantially similar for each race within a state. On each display, the names of candidates may be randomly ordered within each race. Randomly for each voter? Random by county? Random by race (so that in Presidents you see Lib/Demo/Repub but when voting for Governor you see Repub/Lib/Demo)? Election software shall prevent overvote and undervote, and shall allow the voter to correct such conditions. Voters unwilling to indicate a choice may select "no vote". Where "none of the above" or its equivalent is a valid choice, "no vote" shall be a separately distinguished choice. How about voters not willing to vote for anything in that race, *including* 'no vote'? Is "no vote" a radio-button default? (E) VERIFIABILITY -- The record shall not include any other personally identifiable voter information. Yeah, why should it, the Government has the lookup table. No difference, if the Government is the source of the threat to anonymity. Isn't this part of the threat model? SEC. xx20. POLLING SECURITY REQUIREMENTS (A) AUTHENTICATION -- Transactions registering voter choices shall be authenticated by a digital certificate. A one-time certificate which comes from a machine that's about to take your vote? What is the point? Another question: where is your time base from? GPS? The internet time servers? This matters if/when the computers use their notion of time to shut voting off. I don't understand your absentee ballot procedure, except that legacy paper is still supported via human data entry. What happens if someone forgets a PIN? To vote absentee in Calif all you need is a stamp and the ability to write your signature. Increasing the complexity will deter people. (Where did that separate letter with the PIN go?) (C) DUPLICATES -- When more than one authentic vote by the same absentee voter is detected, the last such vote shall supercede any earlier vote. An absentee voter appearing at the regular polling place shall supercede any earlier vote. Duplicate votes are not handled the way you
Re: electronic ballots
On Thu, Jan 25, 2001 at 01:03:49PM -0500, William Allen Simpson wrote: I've been working with Congresswoman Lynn Rivers on language for electronic ballots. My intent is to specify the security sensitive information, and encourage widespread implementation in a competitive environment. We'd like feedback. First the basics: 1. An electronic election system need only be as good as the current system. While perfection remains the goal, the minimum criteria is that it be no worse. 2. There needs to be an absolute disconnect between the voter and the vote. Some kind of voting certificate should allow a vote but make it difficult to determine how someone voted. 3. The concept of the polling place needs to be re-examined. If a voter can vote from anywhere at anytime then the problem becomes one of counting the last vote. A vote signed by an authorized observer would supercede any following ones that were not observed. It seems that something like a smartcard would be the best scheme. The card would have to be able to encrypt the vote and sign it. An observer would need an additional card to sign votes. This would allow a voter to vote from almost anywhere and coercion could be defeated by going to another place and voting in front of an observer. Obviously if the smartcard contained a signing key with no way to relate it to the external number of the card, there would be some room for fraud with lost or stolen cards. Replacing these voter certificates at regular intervals would minimize that. Even a system relying on software and floppy disks might be as good as the way we have now. Current systems count on most of the people being honest anyway. -- - | 73,E-mail | [EMAIL PROTECTED] | | Lyn Kennedywebpage | http://webusers.anet-dfw.com/~lrkn/ | | K5QWB pony express = P.O. Box 5133, Ovilla, TX, USA 75154| ---Livin' on an information dirt road a few miles off the superhighway---
Re: electronic ballots
At 1:03 PM -0500 1/25/2001, William Allen Simpson wrote: -BEGIN PGP SIGNED MESSAGE- I've been working with Congresswoman Lynn Rivers on language for electronic ballots. My intent is to specify the security sensitive information, and encourage widespread implementation in a competitive environment. We'd like feedback. While it is good that you are taking the time to work with Congress on this, I have a number of problems with what you have proposed. I've indicated a few specifics below but here are some general objections. First, and most important, it is far from a given that public key cryptography can be used to build a better voting system than the best paper systems that are presently in use (even assuming as true the unproven mathematical foundations of the technology). There is much more room for undetectable shenanigans in an electronic system than in a paper system. Political leaders should understand that it is not just a question of issuing the right RFP. In particular, it is premature to start drafting a law. Second, I find it unsatisfactory to review a proposed cryptosystem design presented in legal language. At the very least, a careful system design document, preferably with pseudo code, and a detailed threat model should be presented. A working model would be better. You should separate the performance criteria a voting system must meet from the technical design. It is not enough that a voting system be secure, or that it be reviewed by experts. It's security must be evident to the average voter. Otherwise it is possible to intimidate voters even if the system isn't breakable. ("The boss has computer experts working for him so you better vote for his candidate if you want to keep your job.") Finally, there are those unproven mathematical foundations. Assuming them true may be acceptable for message privacy or financial transactions of modest size, but basing our entire political system is another matter. Unlike last year's so-called "electronic signatures act", this one specifies real digital signatures, with definitions culled from the usual Menezes et alia Handbook. I would much rather you specify specific technologies, such as FIPS standards (SHA1, SHA2, AES, (it will be out soon enough), DSA, and P.1363. You can always add "or demonstrated equivalent" (though I wouldn't). The Handbook definitions are far too loose in legal hands. System security analysis is very dependent on the exact algorithms used, bit lengths, protocol etc., so I wouldn't want every vendor making these choices. That would complicate security review enormously. Plus, in my experience even demonstrated weakness are pooh-poohed by vendors. Here's what it looks like so far (draft #1.2). Summary: Minimal requirements for conducting electronic elections. Technology and vendor neutral. Promotes interoperability, robustness, uniformity, and verifiability. Easily integrated into existing equipment and practices. Handle duplicate votes and/or denial of service through submission of bogus votes. Permit multiple persons to use the same machinery. Inhibit persons with access to the machine from fraud. Provides penalties for circumvention. Education telecommunications; all computing equipment purchased for schools or libraries with federal money under "eRate" or other assistance program [cite] shall be capable of use for federal elections. States receiving such funds shall participate in electronic federal elections. Title __ -- Electronic Election Requirements SEC. xx01. SHORT TITLE. This title may be cited as the ``Electronic Election Requirements Act''. SEC. xx02. DEFINITIONS. -- In this title: (A) BASE64 ENCODING -- A standard method for compact display of arbitrary numeric data, described in Multipurpose Internet Mail Extensions (MIME), Internet RFC-2045 et seq. (B) DIGITAL CERTIFICATE -- A verifiable means to bind the identification and other attributes of a public key to an entity that controls the corresponding private key using a digital signature. In this application, the certificate shall be self-signed, and signed by the appropriate authorizing state server. (C) DIGITAL SIGNATURE -- A verifiable means to bind information to an entity, in a manner that is computationally infeasible for any adversary to find any second message and signature combination that appears to originate from the entity. Any method used for an election shall ensure integrity and non-repudiation for at least ten years. (D) ELECTION SOFTWARE -- Applications or browser applets that display an electronic ballot and record the voter choices. (E) ELECTRONIC ELECTION SYSTEMS -- A collection of electronic components, including election software, hardware, and platform operating system, on both local clients and remote servers, used in the election. (F)
Re: electronic ballots
-BEGIN PGP SIGNED MESSAGE- Thanks everyone for the helpful comments. I've combined them as well as I could. Some folks sent privately, as indicated. David Honig wrote: At 01:03 PM 1/25/01 -0500, William Allen Simpson wrote: I've been working with Congresswoman Lynn Rivers on language for electronic ballots. My intent is to specify the security sensitive information, and encourage widespread implementation in a competitive environment. We'd like feedback. You should list the desirable properties of a voting system and then the threats to those properties. Actually, there's a lot of this already, going back many years. There were many such threats described on this list last year, and there have been a couple of conferences. In the process of passing legislation, somebody might make a presentation to a committee, or write a report on a specific protocol. But, that kind of information isn't specified in an "authorization" statute. "Arnold G. Reinhold" wrote: I find it unsatisfactory to review a proposed cryptosystem design presented in legal language. At the very least, a careful system design document, preferably with pseudo code, and a detailed threat model should be presented. A working model would be better. This isn't a proposed cryptosystem design. It's a compilation of minimal requirements for security. It is expected that there will be many designs that meet the requirements. It's based on known designs, and existing analysis. Just as in standards development, requirements don't specify the result. As I tried to indicate, this is to specify the security sensitive information, so that when folks come to testify or work on conference papers, they are all speaking the same language. I needed your help to ensure that we didn't miss anything important, and we don't go down the sad course that electronic signatures suffered last year. David Honig wrote: you're gonna have to educate them in security analysis. This is exactly the purpose. The select committee will be designated next week. Most legislators won't bother to be educated until there is actual legislation to consider. Congresscritter Rivers convened a roundtable on Internet Privacy about 5 years ago, long before most folks in Congress were considering such issues. She went to the trouble to find local talent, such as Honeyman and myself. She has long displayed interest in other security issues. She's on Science and Technology, and has a couple of major universities in her district. Her background is biology and anthropology, so she is capable of following scientific rationale. I actually consider her pretty Internet savvy; however, I'm biased. On the other hand, she finds PGP too hard to use. She wants these requirements to be simple, low cost, easy to use, and as close to existing election practices as possible, so that non-technical people can comfortably use the system. Those of you that have known me for a long time might remember that I'm the fellow that wrote the Michigan appropriations language to provide matching funds for NSFnet, the precursor to the commercial Internet. I've been involved in electoral politics for going on 25 years. If you know of others with the requisite experience in politics, legislation and security, I'd like to meet them. "(Mr) Lyn R. Kennedy" wrote: 1. An electronic election system need only be as good as the current system. While perfection remains the goal, the minimum criteria is that it be no worse. 2. There needs to be an absolute disconnect between the voter and the vote. Some kind of voting certificate should allow a vote but make it difficult to determine how someone voted. I agree. Very important points. 3. The concept of the polling place needs to be re-examined. ... Someday, remote absentee voting might be practical. Right now, the goal is to gain experience in existing polling places, and remove the restriction that military bases and foreign offices cannot be used as polling places. There was a pilot on that last year. It seems that something like a smartcard would be the best scheme. Not likely. Voting is very different from banking transactions. And issuing smartcards with special software for voting is likely to be prohibitively expensive. Somebody wrote: It strikes me that the greatest cause of confusion in vote counting stems from the variation with which voters express their intent. Yes, that's why most of the language concentrates on uniformity of interface and presentation. The only known way to eliminate that variation is to use an entirely digital method. Every other system involving paper (or transcription between analog media) will have an error rate. Somebody wrote: Of course the digital signature alone cannot ensure non-repudiation. Maybe this should either leave out non-repudiation since it's a broader issue or be
Re: electronic ballots
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 05:28 PM 1/25/01 -0600, (Mr) Lyn R. Kennedy wrote: First the basics: 1. An electronic election system need only be as good as the current system. While perfection remains the goal, the minimum criteria is that it be no worse. After Florida, I think we can shoot for something a lot better. 3. The concept of the polling place needs to be re-examined. If a voter can vote from anywhere at anytime then the problem becomes one of counting the last vote. A vote signed by an authorized observer would supercede any following ones that were not observed. I don't see the problem or the reason for an observer. Here in Oregon, we do all votes by mail. The last vote to count is the last one to arrive at the county's collection point before 8pm, election day. OTOH, my next door neighbor was bemoaning the loss of polling places -- as a place to meet the neighbors. So maybe the real answer is still to vote by mail (or electronically) but have a place (actually, an espresso shop with easy chairs, small tables and a fireplace) where you can go to hang out, hand in your ballot and visit with the neighbors. - Carl -BEGIN PGP SIGNATURE- Version: PGP 6.5.2 iQA/AwUBOneKmHPxfjyW5ytxEQKzsQCgim1lGgnLNWRvlxF5c/RoecbYNjcAnjnJ e+Jjdp5J11zoOFKFsQ4v8hog =MjCP -END PGP SIGNATURE- +--+ |Carl M. Ellison [EMAIL PROTECTED] http://world.std.com/~cme | |PGP: 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 | +--Officer, officer, arrest that man. He's whistling a dirty song.-+
Re: electronic ballots
It looks as if your VERIFIABILITY constraints allow pay-for-vote to take place. The voter V can show his audit number to ward-heeler W, who can subsequently verify, together with poll-watcher P, that V voted for Boss B. The PRIVACY section does not seem strong enough to prevent this. Ten years in Chicago will damage anyone's faith in the system. About as much so as ten weeks in DC, I imagine. Matt
Re: electronic ballots
-BEGIN PGP SIGNED MESSAGE- Long answer Matt Crawford wrote: It looks as if your VERIFIABILITY constraints allow pay-for-vote to take place. The voter V can show his audit number to ward-heeler W, who can subsequently verify, together with poll-watcher P, that V voted for Boss B. Maybe you meant "clerk", not "poll-watcher". There has to be some sort of indication that you've voted, to prevent multiple voting. Granted? A poll-watcher would only know the same audit-number -- but they already know that. When the clerk writes your name into a poll book, or (in other places) writes a poll-number next to your name on the printout, a poll-watcher knows when you came in, and what order you voted. Think of it as traffic analysis. However, to learn the vote requires the assistance of the clerk, revealing the ballot itself. To prevent those kind of shenanigans, all parties have poll-watchers (In practice, we have problems finding enough volunteers, so we place them in tactical locations.) It _IS_ true that virtually all vote fraud is conducted by clerks. That's why you have to have the audit numbers. So that someone can catch the clerks (after the fact). Good paper ballot systems use the same form of indirection. The poll number is written on the serial tab that is removed from the ballot when the ballot is placed in the box/machine. There are existing systems that don't have the audit number. In Ingham County, Michigan, last year, the punch cards didn't have a serial number. During the recount, ballot boxes in primarily Democratic precincts (Michigan State University) "miraculously" had more ballots than the number of folks that voted. Entire precincts were thrown out! The Republican won the recount by less than 100 votes, when the Democrat should have won by several thousand. All you have to do is throw a blank ballot or two in the box while nobody is looking. That's why you have to serialize the ballots, so that spurious ballots can be removed/ignored. The PRIVACY section does not seem strong enough to prevent this. Dunno what to do (in a law) other than outlaw the behaviour, ensure that the clerk has a strong probability of being caught, and a stiff enough penalty to provide deterrence. Any other ideas? -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 iQCVAwUBOnCwndm/qMj6R+sxAQHSzQP8D+DLzPCdER6Ja8aaNvaGZ8tRu/9y5Fb0 Uf3DTW2KOGoZ3YzsHWfLPvW/SMrV9Mv5ij9jDtE0cU/8ydNWjHbXiMGcT6Zbq4ds cwaegN8cQJX2ZGNNhzVmJaf3DUdkxNRiDO7bMPKC7pr/4Wf1SQTidO3qUJDfhcCK UEcoRphcsKA= =Z8SZ -END PGP SIGNATURE-