Berteletti
Elia, eb84@cornell.edu
“List security properties that the builders of
an electronic voting system might be required to implement:”
A typical election is composed of 4 major phases [1]:
§
Registration
§
Validation
§
Collection
§
Tallying.
Requirements for each of these phases are proposed as well
as system wide requirements and information transfer requirements. Note that
some requirements might be similar or include each other (a stronger or more
generic requirement includes a weaker or more specialized requirement). Some
requirements might seem to be in contrast with one another. The purpose of this
paper is to list reasonable requirements not to sort them out or provide a
minimal yet comprehensive list. I tried to categorize them as stated above only
to provide a context in which they can be better understood.
During the Registration period, eligible
voters are either formally registered for the election or are notified of the
upcoming election along with dates and times of the event.
â
Prevent ineligible users to register
for the election;
â
Prevent eligible voters from
registering more than once;
â
Prevent anyone to register under the identity of another
eligible voter;
â
Prevent anyone from registering under the identity of a
deceased person;
During the Validation phase, the
election administrators must validate the credentials of the users attempting
to cast their vote.
â
Prevent non-registered users from casting a vote;
â
Prevent any user from voting more than once;
â
Prevent other users from casting votes on behalf of users
who choose to abstain (and thus do not use the system);
The collection phase consists in
collecting the voted ballots.
â
Prevent the voted ballots to be replaced by other, false,
ballots;
â
Prevent false ballots to be added;
â
Prevent voted ballots to be traced back to the voter;
â
Prevent valid ballots to be removed;
â
Prevent voted ballots to be altered;
â
Prevent voted ballots from being invalidated;
Tallying is the action of counting the votes to
determine the election results.
â
Prevent the tallying entity to miscount
â
Prevent the entity from adding / replacing ballots, removing
ballots, altering or invalidating ballots.
â The system must be Accurate. A system is accurate
if (1) it is not possible for a vote to be altered, (2) it is not possible for
a validated vote to be eliminated from the final tally, and (3) it is not
possible for an invalid vote to be counted in the final tally. [2]
â The system must be Democratic. A system is
democratic if (1) it permits only eligible voters to vote and (2) it ensures
that each eligible voter can vote only once. [2]
â The system must be Private. A system is private if (1) neither election authorities
nor anyone else can link any ballot to the voter who cast it and (2) no voter
can prove that he or she voted in a particular way. [2] This point is important in the sense that it prevents
selling or buying votes. The problem becomes more complicated when designing
Internet-based, vote-from-anywhere (see mobility, below) systems. Nothing can
guarantee that a vote is not being cast in the presence of a third party. [3]
â The system must be Verifiable. A system is
verifiable if anyone can independently verify that all votes have been counted
correctly. [2]
â The system must be Convenient. A system is
convenient if it allows voters to cast their votes quickly, in one session, and
with minimal equipment or special skills. [2]
â The system must be Flexible. A system is flexible
if it allows a variety of ballot question formats, including open-ended
questions. Flexibility is important for write-in candidates and some survey
questions. Some cryptographic voting protocols are inflexible because they only
allow for single-bit (yes/no) votes. [2]
â The system must be Mobile. A system is mobile if
there are no restrictions (other than logistical ones) on the location from
which a voter can cast a vote. [2]
At this point we imagine a system that meets all of the
above characteristics. Even if this system were to be implemented, problems
would subsist. Indeed, messages travel on networks (public or private) since
the eligible voters would cast their votes from home or from a voting booth,
and a server would collect the votes. Finally, election results would be
publicized (broadcast in some way) at the end of the election.
Messages, encrypted or not, transiting on private or public
networks, are susceptible to attacks.
â
Prevent that messages be altered on their way to the server
and back to the client;
â
Prevent the viewing of messages transiting from server to client
and back;
â
Prevent the alteration or destruction of messages (ballots…)
on the server;
â
Prevent the alteration or substitution of the client
program;
â
Prevent the alteration of the posted election results;
â
Prevent the creation / existence of an impostor middleman sitting between
the client and server; examples include: If the client and/or server are Java
based, prevent the JVM from being a corrupted version that would
alter/record/destroy/… votes or trick the user. This also can apply to the OS;
it must be trusted. A middleman can also be a third machine sitting between the
client and the server.
â
Provide no ambiguity about whether the voter failed to vote
or the machine failed to record selections [4]; this specifies that audit
trails are necessary to document operations and provide confidence in the
results reported. It specifies two types of audit trails: one records steps in
the operation of the equipment, while the other records steps in the voting and
vote-tallying process.
â Be able to reconstruct the ballots in their entirety, verify
that no unusual or unauthorized events took place during voting or tabulation,
and review the correctness of the vote totals; [7]
â
If DRE (Direct Record
Electronic) machines are used in voting booths then they must record all the
votes in a local memory to be compared with the total final result as a means
of verifying integrity;
If we imagine a system where generic voting software is
written and then specialized based on the election, then the software must be
either downloaded by the users or uploaded in a stand-alone machine.
â
Preventing the possibility of hidden code and/or
undocumented changes [4] in both the server program and client program;
â
Necessity of a software producer that can be held
accountable;
â
Prevent the code to be altered during the Upload or Download
process described above;
â
Provide a method for the user to make sure the client
program he/she downloads/uses to cast a vote comes from a trusted party;
â
Preventing attacks of the type “Denial Of Service”, DOS or
DDOS; [5]
â
Prevent malicious
payloads from causing the voter’s vote to be changed even before the
message is encrypted and authenticated;
In this case programs known as Trojans (backorifice being
the most popular www.bo2k.com) enable
the attacker to manipulate a victim’s machine at will. Thus compromising the
voter’s privacy, and the system’s accuracy.
â
Prevent attackers to steal votes from legitimate users by creating fake servers with which the
unaware voter will communicate;
â
Provide a mechanism by which the vote would be cast in an
atomic way; this would prevent tallying errors in case the client/server
crashes half way through the transaction;
â
The system must avoid using DNS lookups to connect to the
server so as to avoid problems involving DNS server attacks;
â
Be decentralized as much as possible in order to prevent
corruption of the only server in the system.
[1]
ACM Crossroads,
Electronic Voting Computerized polls may save money, protect privacy by Lorrie
Faith Cranor, http://www.acm.org/crossroads/xrds2-4/voting.html;
Tuesday, 23-Jan-01.
[2] Cranor,
L.F. and Cytron, R.K. Design and Implementation of a Security-Conscious
Electronic Polling System. Washington University Computer Science Technical
Report WUCS-96-02. February 1996.
[3] Benaloh, J. and Tuinstra, D. Receipt=free secret-ballot
elections. In Proceedings of the Twenty-sixth Annual ACM Symposium on the
Theory of Computing (May 23-25 1994) pp. 544-553.
[4] R. G. Saltman, Accuracy, integrity and security in computerized vote-tallying
Communications of the ACM October 1988 Volume 31 Issue 10
[5] Lance J. Hoffman, Internet voting Proceedings of the tenth
conference on Computers, freedom and privacy : challenging the assumptions April 2000
[6] Avi Rubin AT&T Labs – Research Security Considerations for Remote Electronic Voting over the Internet
Florham Park, NJ; http://avirubin.com/e-voting.security.html
[7] CFP'93 - Electronic Voting - Evaluating the Threat by Michael Ian Shamos, Ph.D., J.D. Carnegie-Mellon University
Network Voting System Standards Draft -
January 25, 2002 http://www.votehere.net/nvss/NetworkVotingSystemStandards.pdf
National governors association: http://www.nga.org/nga/lobbyIssues/1,1169,D_1194,00.html
The Federal Election Commission web site: http://www.fec.gov/