Best Practices in Internet Voting

Transcription

1 Best Practices in Internet Vting Jrdi Puiggalí, Jesús Chóliz, Sandra Guasch Scytl Secure Electrnic Vting Tuset 20, 1-7, Barcelna, Spain I. Intrductin Nw a day, gvernments are using alternative vting channels such as pstal, fax, r electrnic vting t allw vters t cast their vtes remtely. Fr instance, in USA, the Unifrmed and Overseas Citizens Absentee Vting Act (UOCAVA) [1] and Military and Overseas Vter Empwerment (MOVE) Act [2] are fcused n prviding t military and verseas vters means t exercise their right t vte remtely. When chsing a specific scheme fr remte vting, it is imprtant t evaluate the security f the system by taking int accunt its security risks. The security measures implemented by the system must be identified and their effectiveness n mitigating these risks evaluated. Mrever, it must be ensured that these security measures are designed and implemented prperly, evaluating if the measures prperly address the security issues. If they are nt implemented in a prper way, the security level prvided drps dramatically. Fr instance, the fact that a vting platfrm is using a cryptgraphic mechanism des nt ensure that this is prperly implemented. This paper is fcused n evaluating Internet Remte Vting security measures that can be applied t mitigate the risks f remte vting. This can be used as reference when evaluating the best practices applied when designing and implementing these security measures. T evaluate their effectiveness, we used pstal vting as reference. The paper is rganized as fllws: in sectin II we intrduce sme basic security risks f remte vting, in sectin III, sme security cnsideratins used when implementing security measures in an Internet Remte Vting scheme are presented; in sectin IV we evaluate hw the security measures effectively mitigate the intrduced security risks using pstal vting as reference, and the paper cncludes in sectin V. II. Security Risks f Remte Vting In this sectin, we define general security risks f remte vting withut cnsidering a specific vting channel. They idea is t use them as reference fr cmparing different remte vting channels independently f the technlgy used by the channel. The risks that we will use as reference are: Unauthrized vters casting vtes: nneligible vters culd try t cast a vte fr a specific electin. The vting channel must prvide a rbust way t remtely identify vters. Vter impersnatin: a vter r an attacker culd try t cast a vte n behalf anther persn. The vting channel must prvide a rbust way t detect any impersnatin attempt. Ballt stuffing: an attacker can try t add in the ballt bx vtes frm vters that did nt participate in the vting prcess. The vting channel must prevent the acceptance f vtes that have nt been cast by their intended vters. Vter privacy cmprmise: an attacker culd break the vter privacy, identifying the vter with her vting ptins and, thereby, breaking the vte secrecy. The vting system must ensure that the vter s intent remains secret during the vting and cunting phases. Vter cercin and vte buying: ne persn r rganizatin culd buy r frce a vter t vte fr specific vting ptins. The vting channel must prevent a vter frm prving t a third party in an irrefutable way her vting intent. Vte mdificatin: vte cntents culd be mdified t change the electin results. The vting system must detect any manipulatin f valid cast vtes. Vte deletin: an attacker culd try t delete valid vtes frm the ballt bx. The ballt bx must be prtected against unauthrized changes. Publicatin f nn-authrized intermediate results: the intermediate results culd be disclsed befre the electin is clsed, influencing thse vters that have nt exercised their right t vte yet. The vting system has t preserve the secrecy f the cast vtes until the tally prcess t prevent any partial results disclsures. Vter distrust: a vter des nt have any means fr verifying the crrect receptin and cunt f her vte. Therefre, the vter culd have a negative feeling abut the vting prcess. The vting platfrm must allw the vter t check if the vte has been crrectly received at its destinatin, and if it has been present in the tallying prcess.

2 Electin byctt-denial f service: an attacker culd disrupt the availability f the vting channel by perfrming a denial f service attack. The vting platfrm must detect the eventual cngestin f the electin services in rder t react against them as sn as pssible, e.g. by using cntingency channels. Inaccurate auditability: nt enugh electin traceability r easy t tamper with audit data may allw attackers t hide any unauthrized behavir. The vting channel shuld prvide means t implement an accurate audit prcess and t detect any manipulatin f the audit data. III. Security cnsideratins when implementing security measures in Internet Remte Vting schemes When evaluating an Internet Vting platfrm, it is imprtant t evaluate the efficiency f the measures implemented t manage the security risks. In this sectin we will intrduce sme security methds implemented in vting platfrms and evaluate their efficiency n achieving the security bjectives demanded in a secure electin. These measures will be used in this paper t evaluate the risk mitigatin f remte vting platfrms. Authenticatin methds: ne imprtant issue in Internet vting is hw vter identity can be prved in a remte way. A usual apprach cnsists n prviding a username and a passwrd t the vter at the time f registratin, and request fr them at the time f casting the vte, t ensure the identity f the vter. Fllwing this apprach, the username / passwrd values have t be stred in the vting server in rder t verify the identity f the vter. Therefre, in case an external attacker gains access t it, these credentials culd be stlen frm r mdified in this server, in rder t impersnate valid vters. Mrever, these credentials are vulnerable t eavesdrpping attacks that intercept the passwrds when submitted. Alternative prpsals cnsist n using strng authenticatin methds, such as netime passwrds r digital certificates. One-time passwrds prevent the re-use f intercepted credentials, since the authenticatin infrmatin sent (passwrd) changes each time the vter is authenticated. The mst rbust slutin fr vter authenticatin is the use f digital certificates, since it prvides, in additin t access authenticatin, data authenticatin: by digitally signing her vte, the vter can demnstrate that she is the wner f a specific vte. When this apprach is used, the vte is encrypted befre being signed. Otherwise, the digital signature culd be used t crrelate vters with vtes. In case vters d nt have digital certificates (e.g. an electrnic ID card), a key raming mechanism can be used t prvide digital certificates t vters when casting their vtes. The digital certificate wuld be prtected by a PIN r passwrd knwn by the vter. This passwrd is nt stred in a remte database and therefre cannt be accessed t impersnate the vter. Vte encryptin: in an e-vting platfrm, vtes are vulnerable t eavesdrpping practices during their transmissin and strage. Therefre, vte encryptin at the time f vte casting is f paramunt imprtance t preserve vte secrecy. Sme vting platfrms implement vte encryptin at the netwrk transmissin level, using SSL cnnectins between the vter PC and the vting server. Hwever, SSL encryptin falls shrt t prtect end-t-end vter privacy, since the vte is nt encrypted when leaving the transmissin channel: the vte is received at the vting server in clear text. Therefre, any attacker that gains access t the server system culd access t the clear-text vte infrmatin and break the vter privacy. T slve this issue, it is strngly recmmended t use data level encryptin f vtes, such as encrypting the vtes using an electin public key. That way, any attack at vting server level will nt cmprmise vter privacy, since vtes leaving the vting channel are still encrypted. The prtectin f the electin private key is further discussed in a later sectin. Vte integrity: cast vtes are vulnerable frm being tampered with by attackers that gain access t the vting system. As mentined in previusly sectins, an efficient apprach t prevent vte manipulatin after casting a vte is t digitally sign it after encryptin. Alternatively, vtes can be prtected by applying a cryptgraphic MAC functin (e.g., an HMAC functin) and send this value as an integrity prf f the vte. Hwever, this measure has sme security risks, since the key used t calculate the MAC functin must be als knwn by the vting server t validate the vte integrity. Therefre, an attacker wh gained access t the vting server culd generate valid integrity prfs f mdified vtes. Digital signatures issued by vters d nt have this prblem. Mrever, digital signatures can be used fr bth integrity verificatin and identificatin purpses. In additin t digital signatures, advanced cryptgraphic techniques, such as zer-knwledge prfs f rigin [3], can be used t ensure that the encrypted vte has been recrded as cast by the vter. The digital signatures and zer-knwledge prfs can

3 be stred jintly with the vtes in the digital ballt bx, in rder t ensure their integrity until the mment f vte decryptin Prtectin f the electin private key: as mentined befre, the electin private key is aimed t prtect vters privacy and intermediate results secrecy. Usually, asymmetric encryptin algrithms are used: vtes are encrypted using a public key, and they can nly be decrypted using the crrespnding private key. T prevent that an individual persn culd decrypt the vtes, this key must be prtected using a separatin f duties apprach. A recmmended practice cnsists n splitting the key in several shares using threshld cryptgraphy algrithms, and t give ne share t each Electral Bard member. That way, a minimum number f Electral Bard members must cllabrate t recver the electin private key and decrypt the vtes. It is f paramunt imprtance t use a threshld scheme t prevent that the lss f ne share culd prevent the decryptin f the vtes. Annymizing vtes befre decryptin: mst vting platfrms directly decrypt the vtes at the end f the electin. Hwever, if the decryptin is dne straight frward, it culd be pssible t crrelate clear text vtes with encrypted nes and, therefre, t riginal vters. It is critical t break the crrelatin between clear text vtes frm the riginal casting rder. The mst efficient methds are based n Mixnets, where vtes are shuffled and decrypted/encrypted several times befre btaining the vte cntents; and the hmmrphic tally, where the electin result is btained withut decrypting the individual vtes, but decrypting the result f perating the encrypted vtes. Other methds (such as randmizing vtes while stred) culd nt fully guarantee that there is n link between vtes and vting rder. Individual and Universal verificatin methds: ne f the majr cncerns f remte vting in general is the lack f means fr the vter t verify the crrect receptin and cunt f her vte. The intrductin f remte electrnic vting can prvide t the vters sme means t individually verify the vting prcess, prviding mre cnfidence and detecting pssible attacks. The verificatin prcess can be split in tw methds: cast as intended and cunted as cast verificatin. The cast as intended verificatin cnsists n ensuring that the vte received by the vting server cntains the vting ptins riginally selected by the vter. Fr instance, it can be used t detect if the vter cmputer has any malware that is changing her vting ptins befre encryptin. One way t perfrm this verificatin cnsists n calculating special cdes (cmmnly called Return Cdes) using the encrypted vte received at the vting server, and returning them t the vter. The vter will in turn use a special Vting Card issued fr the electin t verify that the received Return Cdes are thse assigned t the vting ptins she has chsen. Since the Return Cdes are calculated using a secret key nly knwn by the vting server, an attacker cannt deliver frged Return Cdes t the vter withut being detected. The cunted as cast verificatin cnsists n ensuring that the vte cast by the vter is included in the final tally. This verificatin detects manipulatin r deletin f cast vtes. One methd t ensure that the vte has reached the cunting phase is t deliver t the vter a receipt with a randm identifier. If this randm identifier can nly be retrieved frm the encrypted and tallied vtes, a vter can then verify that her vte has been included in the tally. It is f paramunt imprtance that these randm identifiers cannt be crrelated with clear text vtes. Otherwise, the Vting Receipt culd be used fr vte buying r cercin practices. This measure must be cmplemented with the universal verificatin f the decryptin prcess. Universal verificatin shuld allw auditrs and bservers t verify in an irrefutable way that the decrypted vtes represent the cntents f the encrypted nes. In ther wrds, that the decryptin prcess did nt manipulate the results. This can be achieved using advance cryptgraphic techniques. Traceability and Auditability: traceability is essential fr an Internet vting platfrm: lgs r prfs generated by the different mdules can be used t detect and react against real-time attacks r malfunctins, as well as ensuring the reliability f the electin results. All the sensitive peratins perfrmed in the vting platfrm mdules have t be registered in lgs, taking care f nt registering infrmatin that can cmprmise vters privacy. In rder t prevent an attacker frm deleting r mdifying these lgs (t hide any attack), they can be cryptgraphically prtected, in such a way that a specific lg cannt be deleted withut detectin. Als, critical prcesses such as vte decryptin shuld be designed t prvide cryptgraphic prfs f crrect perfrmance, s an auditr can verify that the electin results actually crrespnd t the values f the vtes cast by the vters. It is recmmended the use advanced cryptgraphic techniques t audit the crrect perfrmance f these prcesses. Therefre, bth auditrs and vters can participate in the audit

4 prcess (universal verifiability), increasing als the vter cnfidence. IV. Risk Mitigatin in Remte Vting Depending n the apprach used fr implementing a remte electrnic vting platfrm, security risks are managed in mst efficient way. Therefre, the analysis n hw these risks are prperly mitigated is f paramunt imprtance when taking a decisin f implementing a remte electrnic vting prcess. Several studies and reprts discussing the risks and cuntermeasures f specific schemes fr remte vting have been presented [4], [5], highlighting the main differences between pstal vting, fax vting, e- mail vting and Internet vting. Hwever, these analyses are mainly fcused n cmparing hw the risks are managed by the different remte vting channels. In this sectin, we cmpare hw different remte electrnic vting platfrm appraches manage the security risks present in remte vting. T this end, we will use as reference the security risks intrduced at the beginning f this paper. In additin, t evaluate the risk mitigatin efficiency f each apprach, we will use as reference hw similar risks are addressed in pstal vting. Unauthrized vters casting vtes, vter impersnatin and ballt stuffing. Internet Vting with strng authenticatin: Mitigatin Level: High. Vters are prtected frm reply attacks and nly vtes digitally signed by valid vters are accepted. Internet Vting with passwrd-based authenticatin: Mitigatin Level: Lw. Vters are vulnerable t credential stealing attacks. Ballt stuffing is pssible. Pstal Vting: Mitigatin Level: Lw. Vter handwritten signatures are difficult t validate r nt always validated. Ballt stuffing is pssible. Vter privacy cmprmise. Internet Vting with data-level encryptin: Mitigatin Level: High. Vtes are encrypted befre being cast. Cryptgraphic measures can be implemented t break any cnnectin between vte and vter (such as vte shuffling prcesses befre decryptin). Internet Vting with netwrk-level encryptin (SSL): Mitigatin Level: Lw. Vtes are nly prtected during their transmissin and cntents culd be accessed at vting server. Pstal Vting: Mitigatin Level: Medium. Vtes are stred in envelpes cntaining the names f the vters. Vtes can be intercepted t access t their cntents befre they are received by electin fficials. Vter cercin and vte buying. Internet Vting with multiple-vting: Mitigatin Level: Medium. If a vter is cerced, she can cast a new vte later. Internet Vting with kisk: Mitigatin Level: High. Vte is cast in a cntrlled envirnment as traditinal electins. Pstal Vting: Mitigatin Level: Lw. Vters can shw the selected vting ptins t third parties befre casting their vtes. Vte mdificatin. Internet Vting with vter digital signatures: Mitigatin Level: High. Only valid vters can digitally sign vtes. Internet Vting with server digital signatures: Mitigatin Level: Medium. Vtes can be manipulated befre being digitally signed by the server. Internet Vting with MAC digital signatures: Mitigatin Level: Lw. Integrity prfs can be frged in case f getting access t the vting server. Pstal Vting: Mitigatin Level: Lw. There is n way t detect that the cast vte has been mdified. Vte deletin. Internet Vting with cryptgraphic vting receipts: Mitigatin Level: High. Vting receipts allw vters t detect the eliminatin f their vtes. Internet Vting with standard vting receipts: Mitigatin Level: Lw. Vting receipts nly allw vters t knw that the server received the vte. Pstal Vting: Mitigatin Level: Lw. It is pssible t eliminate r delay valid vtes withut detectin. Publicatin f nn-authrized intermediate results. Internet Vting with data-level encryptin: Mitigatin Level: High. Only the Electral Bard members can decrypt the vtes at the end f the electin. Secret sharing techniques can be used t ensure separatin f duties when decrypting. Internet Vting with netwrk-level encryptin (SSL): Mitigatin Level: Lw.

5 Intermediate results culd be btained frm clear-text vtes received in the vting server. Pstal Vting: Mitigatin Level: Medium. Vtes culd be intercepted during transprtatin. Vter distrust. Internet Vting with cryptgraphic verificatin methds: Mitigatin Level: High. The use f individual and universal verificatin methds, allws vters and auditrs t verify the crrect behavir f the vting platfrm. Internet Vting withut verificatin methds: Mitigatin Level: Lw. Vters have t trust the vting platfrm, since they have n evidence f the crrect recrding and cunting f their vtes. Pstal Vting: Mitigatin Level: Lw. There is n guarantee that the vte is received and cunted by Electin Officials. Electin byctt-denial f service. Internet Vting: Mitigatin Level: Medium. Despite remte e-vting is vulnerable t DS attacks, the advantage is that vters and electin managers can detect this behavir and apply crrective measures t reduce the impact (e.g., vte using an alternative channel r server). Pstal Vting: Mitigatin Level: Medium. DS attacks (e.g., delivery delays) are impssible t detect and, therefre, are mre effective than previus nes. The difference is that these are mre difficult t implement. Inaccurate auditability. Internet Vting with cryptgraphic audit means: Mitigatin Level: High. The use f individual and universal audit means facilitates t audit the real behavir f the vting platfrm. Using immutable lgs ensures that audit prcesses are based n reliable audit data. Internet Vting with standard audit means: Mitigatin Level: Lw. Audit prcess is based n standard lg infrmatin that culd be tampered with. Pstal Vting: Mitigatin Level: Lw. Audit means nly cver part f the vting channel. cnsidered when evaluating the security f an e- vting platfrm. T shw the impact f sme f these measures, we evaluated hw they can mitigate sme f the security risks f remte vting. In this evaluatin we als cnsidered the efficiency f Internet vting platfrms implementing mre standard security measures and als pstal vting. The main cnclusin is that the use f cryptgraphic mechanisms des nt always increase the security f the vting platfrm if they are nt prperly implemented. References [1] UOCAVA law nline: [2] MOVE Act is Subtitle H f H.R. 2647: [3] Jakbssn, M. A practical mix. In K. Nyberg, editr, EUROCRYPT '98, pages Springer-Verlag, LNCS N [4] Puiggalí, J. and Mrales-Rcha, V Remte vting schemes: a cmparative analysis. In Prceedings f the 1st internatinal Cnference n E-Vting and Identity (Bchum, Germany, Octber 04-05, 2007). A. Alkassar and M. Vlkamer, Eds. Lecture Ntes In Cmputer Science. Springer-Verlag, Berlin, Heidelberg, [5] Regenscheid, A. and Hastings, N A Threat Analysis n UOCAVA Vting Systems. NIST. V. Cnclusins In this paper, we have presented the security risks f a remte vting platfrm, and intrduced sme recmmendatins f security measures that must be