Security Issues Facing Online Voting Systems

hotbroodSecurity

Nov 3, 2013 (3 years and 9 months ago)

59 views

Security Issues Facing
Online Voting Systems

Joe Hernandez

MEIA


CS
-
6910

Dr. Chow



Overview


Security of Remote Online Voting [1]


Two Case Studies


Troubles faced by each election


Cryptographic Foundations


Blind Ballot using Public Key Cryptography (PKC)


Voting Protocol using PKC


Blind Ballot using Public Key Infrastructure (PKI)


Modified Voting Protocol using PKI


Technology Risks Facing Online Voting


Election Risk & Security


Suggested security measures for online voting









July 25, 2011

Jhernandez/Online Voting System

2

Paper Review

The Security of Remote Online Voting [1]


Paper Discusses two cases of Internet Voting


Arizona Democratic Party Election in 2000


Student Council Elections @ University of Virginia


The internet will solve typical voting problems


Eliminate “Hanging Chad”


Speed up counting process


Eliminate lengthy recounts


Increase voter turnout


Guarantee the intent of the voter (simplify voting)

July 25, 2011

Jhernandez/Online Voting System

3

Case Studies


2000 Arizona Democratic Primary


First major use of internet voting


A
legally

binding political election


Considered a “Private” election


Not subject to voting standards


Contracted out to election.com


Vendor claimed success (financial motivation)


Many things went wrong!!




July 25, 2011

Jhernandez/Online Voting System

4

What went wrong?


Failed to
heed

warnings from Tech Experts


Voters forgot, lost, received wrong PIN #’s


Violated “Secret Ballot” by assigning PINs


Minority access to internet/computers


Computer/Browser compatibility issues


Site down for an hour on election day


No customer service / limited help desk support


Multiple lawsuits filed


Violated 1965 Voting Rights Act


Belief security was “Airtight”


Used proprietary encryption algorithm




July 25, 2011

Jhernandez/Online Voting System

5

Case Study


University of Virginia Student Council Elections


Small, simple, successful


Paper ballots not effective


Ease of Internet access among campus population


Minimal hardware/software necessary


Ease of authentication with a small population


Similar problems to Arizona Election

July 25, 2011

Jhernandez/Online Voting System

6

What went wrong here?


Believed in community of “Trust”


Servers crashed within minutes of the election


Student information was publically available


Making it easy to hijack someone's vote


Votes were not encrypted in transmission


Students restricted from voting


Based on department


Overseas students could not vote


Based on “Class Status” determined by credit hours


Alphabetical ordering of candidates


Student’s on top appeared to be favored


Fundamental tradeoff between security and convenience






July 25, 2011

Jhernandez/Online Voting System

7

Cryptographic Foundations


Online voting depends upon Public Key Cryptography


Diffe
-
Hellman public key exchange 1976


Changed cryptography forever


Allows for two people to generate a secret key


RSA allowed for use of two keys (Public & Private)


RSA also allows for digital signature of messages


PKC used for Authentication and Confidentiality


Makes (theoretical) online voting possible


Can be used to generate “Blind Ballots”


Blind Ballots


Voters right to keep vote private









July 25, 2011

Jhernandez/Online Voting System

8

Blind Ballot using PKC

Message

(M)

M * r

Blinding

Factor

(r)

E
KR
(M*r)

Blinded

Doc

(M * r)

Notary’s

Signature

(K
R
)

Signed

Blinded

Doc

E
KR
(M*r)

Divide by

Blinding

Factor

(r)

E
KR
(M*r)

Signed

Message

E
KR
(M)

Is something wrong with this method

July 25, 2011

Jhernandez/Online Voting System

9

Is message/vote truly blinded?

Voter received

a PIN During

Registration

PIN

Blinded Ballot

And PIN

Sent to Validator

PIN Database

Registration

Server

Validates Voters

Pin Signs Ballot &

Sends back to Voter

Blinded Ballot

Signed by Validator

Voter removes blinding

And passes signed ballot

To tallier
anonymously*

E
KR
(M*r) + PIN

E
KV
(E
KR
(M*r))

E
KV
(M)

Validated

Vote tallied

July 25, 2011

Jhernandez/Online Voting System

10

Modified Blind Ballot using PKI

Message

(M)

E
EPK
(M)

Election Public

Key (EPK)

E
PK
(M) + PIN

Encrypted Vote

E
PK
(M)

(Blinded)

Voters PIN

From Registration

Process

(E
VPK
((E
EPK
(M) + PIN))

Validators Public

Key (VPK)

Vote blinded from Validator

Confidentiality and Integrity

Provided between voter

and Validator

July 25, 2011

Jhernandez/Online Voting System

11

Modified Voting Protocol

Encrypted

Blinded Ballot

With PIN

PIN Database

Decrypts & Validates

Vote, Removes PIN

Signs Ballot with Private Key

Sends to Voter

Database

Blinded Ballot

Signed by Validator

(E
VPK
((E
EPK
(M) + PIN))

Validated

Votes tallied

(Must have Election

Private Key)

Vote

Database

Voting Database

Signed Blinded

Ballot Entered

Into Database

(E
VPRK
(E
EPK
(M)))

(E
VPRK
(E
EPK
(M)))

Is PIN Valid

July 25, 2011

Jhernandez/Online Voting System

12

Comparison of elections

Arizona Election


Large scale election


Traditional methods
-
Status Quo


Legally binding


Internet not available to everyone


Lawsuits filled


Some voters could not vote


Large target audience (State)


Authorization req. Registration


Large political target for hackers


Undisclosed funds spent


Security a major concern


Trust a major issue!!


Considered a failure


University of Virginia


Small scale election


Traditional methods to costly


Not legally binding


Everyone had internet access


No legal requirements


Voters unable to vote


Small targeted group (Campus)


Authorization via Registration


Small target for hackers (No gain)


Managed in house by IT Dep.


Trade security for convenience


Trust within community!!


Considered a success




July 25, 2011

Jhernandez/Online Voting System

13

Technology Risks for Online Voting


Security Risks associated with Online Voting


Internet is still a very insecure medium


Spyware, Malicious Code, Botnets, Hackers, Oh My!!!


Spam


Bogus e
-
mails or links to Bogus Voter Websites


Poorly developed applications


Distribute / Denial of Service Attacks (DOS / DDOS)


Physical attacks possible


Insider threat, intentional or unintentional


Rarely a brute force attack against crypto algorithms

July 25, 2011

Jhernandez/Online Voting System

14

Election Risk & Security

Election Risk / Criticality of Outcome

Security Measures

$$$$

$

Student

Council Election

University

Official

State/National

Committee

State/Federal

Official

Presidential

Election

CIA Triad

Low

Moderate

High

Off The Hook

City Public

Official

1

2

3

4

July 25, 2011

Jhernandez/Online Voting System

15

Trust in technology/internet


Technology & Internet is part of our culture


Ease of Internet Access


Online Banking


Online Sales


Amazon etc.


Use of ATMs


290,000 ATMs in US


1999


14.9 Billion Transactions
-

1998


Debit/Credit Cards


Airline Tickets on you Cell phone


Approved by the TSA!


http://www.google.com/publicdata?ds=wb
-
wdi&met_y=it_net_user_p2&idim=country:USA&dl=en&hl=en&q=internet+usage+statistics


July 25, 2011

Jhernandez/Online Voting System

16

Zone 1
-

Security


Things to consider


Keep it simple!


Utilize SSL


Establish Secure Web Site/Server


Enforce strong username & passwords


Keep systems patched and anti virus/spyware current


Apply applicable STIGs from DISA or NSA


Eliminate unnecessary applications/software (harden system)


Use available tools to scan for vulnerabilities before election


Backup your website and your data (daily) keep data secure


Limit your exposure
-

open website during voting hours only


Possible use of a firewall or host system at a secure site if $$ allow





$
-

Low

CIA
-

Low

Legal
-

None

July 25, 2011

Jhernandez/Online Voting System

17

Zone 2
-

Security


Things to consider


Zone 1 security requirements


Firewall / DMZ


Host base Intrusion Detection System


Public Key Cryptography


Authentication, Authorization, Accountability (AAA)


Redundant systems


Alternate / Backup site


Internal review/certification (
NIST 800
-
53
/ Low
-
Moderate)


Consider Web Site Security (OWASP Top 10)


Requires individual registration issuing of PIN #s








$$
-

Moderate

CIA
-

Moderate

Legal
-

Possible

July 25, 2011

Jhernandez/Online Voting System

18

Web App Security Risks

The OWASP Top 10 Web Application Security Risks for 2010
:

A1: Injection

A2: Cross
-
Site Scripting (XSS)

A3: Broken Authentication and Session Management

A4: Insecure Direct Object References

A5: Cross
-
Site Request Forgery (CSRF)

A6: Security Misconfiguration

A7: Insecure Cryptographic Storage

A8: Failure to Restrict URL Access

A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards

July 25, 2011

Jhernandez/Online Voting System

19

Zone 3
-

Security


Things to consider


Zone 2 security requirements


Independent registration system


Enhanced firewalls


Deep Packet Inspection


Intrusion Detection / Prevention Systems


VPNs


End
-
to
-
End Encryption (PKC/PKI)


Cryptographic Authentication for Officials


Penetration testing


Independent certification/Review (
NIST 800
-
53
/ Moderate
-
High)


Functional and Compatibility Testing


Legal review


Ensure compliance with applicable laws







$$$
-

High

CIA
-

High

Legal


State/Federal

DMZ

July 25, 2011

Jhernandez/Online Voting System

20

Zone 4
-

Security


Things to consider


Zone 3 security requirements


Multiple Independent Operating Locations


High Availability & Redundancy Distributed across the Enterprise


DOS/DDOS Detection/Reaction, and Redirection of Authorized Traffic


Multiple Linked Online Intrusion Detection / Prevention Systems


Enterprise monitoring /Management (networks/servers/databases...)


Private/Dedicated encrypted networks compliant with FIPS 140
-
2


Heavy use of PKI & End
-
to
-
End Encryption


Multiple Independent certifications/Reviews (
NIST 800
-
53
/ High)


Federal/States Legal review


Ensure compliance with applicable laws






$$$$
-

Very High

CIA


High + AAA

Legal


Federal/State

July 25, 2011

Jhernandez/Online Voting System

21

Conclusion


Issues facing Online Voting are enormous


Internet continues to be insecure medium


Insecurity is across the board
-
clients, applications, networks…


Insecurity seems to be increasing


Trust across the community is lacking


Issues range from Technical to Administrative through Legal


Problems persist, new ones arise, old ones are not fixed


Small scale voting seems to be far more successful


Cryptographic techniques exist to support Online Voting


Further research into multiple online voting areas still needed










July 25, 2011

Jhernandez/Online Voting System

22

Sources

[1] The Security of Remote Online Voting
-

Thesis


Daniel Rubin, School of Engineering and Applied Science University of Virginia

July 25, 2011

Jhernandez/Online Voting System

23