User: Password:
|
|
Subscribe / Log in / New account

Security quotes of the week

Security quotes of the week

Posted Feb 7, 2013 17:48 UTC (Thu) by apoelstra (subscriber, #75205)
In reply to: Security quotes of the week by drag
Parent article: Security quotes of the week

> I have no doubt that internet voting could be made to work.

Technologically, sure. But you need to have (a) a public record (everyone can see what they voted), (b) privacy (nobody can see what anyone else voted for), (c) accessibility (nobody needs special ID or keys or anything). And you need a simple enough system that people will trust you when you tell them that these points are satisfied.

The simplicity thing is probably what will get you. Otherwise you could say "register a GPG key when you register to vote, then sign "I, ZZZ, vote for XXX at time YYY" and encrypt the signed message with the government voting key".

Good luck getting Joe Public to figure out and handle a public key :) Especially when any software he uses will now be a huge spyware target.

And of course, this is in addition to the requirement that all code be correct and open and securely installed ...

> I also have no doubt that the government will never, ever, be able to accomplish this task.

I think that, even if you had a private board of cryptographers, security researchers and programmers, with infinity money and a love of democracy, you'd still be unable to produce a system the public could use.


(Log in to post comments)

Security quotes of the week

Posted Feb 7, 2013 22:39 UTC (Thu) by renox (subscriber, #23785) [Link]

>> I have no doubt that internet voting could be made to work.
> Technologically, sure.

Who cares about the technology?
Internet voting allow effective purchase of votes and removes privacy (one family member could check what the other one is doing).

Security quotes of the week

Posted Feb 7, 2013 23:02 UTC (Thu) by apoelstra (subscriber, #75205) [Link]

> Internet voting allow effective purchase of votes and removes privacy (one family member could check what the other one is doing).

Well, you could still use (or even require) public kiosks, and keep using paper ballots in case a human recount is demanded. You'd still get improved count efficiency and consistent audit trails.

Alternately, you could allow multiple votes and only count the most recent one, which is easy to do if everybody has a unique encryption key.

This would handle problems of physical coercion. I don't see how buying votes would become any easier or harder.

Security quotes of the week

Posted Feb 7, 2013 23:28 UTC (Thu) by renox (subscriber, #23785) [Link]

>> Internet voting allow effective purchase of votes and removes privacy (one family member could check what the other one is doing).
> Well, you could still use (or even require) public kiosks

Then this is not anymore Internet voting, Internet voting is voting with your own PC..

Security quotes of the week

Posted Feb 14, 2013 4:27 UTC (Thu) by davidescott (guest, #58580) [Link]

> Alternately, you could allow multiple votes and only count the most recent one, which is easy to do if everybody has a unique encryption key.

"most recent" what does that mean? You've just moved a problem in security into one of atomicity and global timekeeping. I think Einstein would have some thoughts on how plausible this approach would be.

Security quotes of the week

Posted Feb 14, 2013 5:48 UTC (Thu) by apoelstra (subscriber, #75205) [Link]

>"most recent" what does that mean?

Time ordering would be determined by hash chains, probably. So you could see "vote X overrides vote Y" and there would be no way to interpret this as "vote Y overrides vote X".

No need to map to/from physical time, except by accident. So Einstein would be happy. :)

Security quotes of the week

Posted Feb 14, 2013 16:30 UTC (Thu) by davidescott (guest, #58580) [Link]

> Time ordering would be determined by hash chains, probably.

The obvious question is "hash chains of what?" I think you are pretty aware of one major challenge which is simplicity in that you earlier said:

> The simplicity thing is probably what will get you. Otherwise you could say "register a GPG key when you register to vote, then sign "I, ZZZ, vote for XXX at time YYY" and encrypt the signed message with the government voting key".

So lets replace "time YYY" with "most recent publicized hash base." It needs to be something public otherwise Fox News would have a field day. Pay a bunch of people to vote for Obama and submit that, and then wait until after the results are announced to produce a few thousand new votes properly signed with the government public key, and chained against the individuals previous vote in the register that are for Romney. THE ELECTION WAS RIGGED!!!! VOTERS CHANGING TO ROMNEY DENIED THE OPPORTUNITY!!!!!

So the government manages a clock/checkpoint which takes in all votes V_i arriving at time T, computes and publicizes a hash H_{T+1}=H(H_{T},V_1,...,V_n), and each vote includes as part of its signature H_{t} for some publicized t. If the vote has a stale Hash as the base to its signature I should reject it and notify the voter to resubmit.

There is still a synchronization point, but at least people will know about a failed vote and can resubmit. The problem here is that its split one vote counting problem into a few thousand vote counting problems. Every Joe who submits his vote at 11:59pm and sees it rejected is going to think he was targeted in his vote denial and not that his web connection was a bit slow.

There is also no simple way to verify that H_T was properly computed from the incoming votes and previous hash values. Independent observers will see votes arrive in a different order than the official hashing agent, and will compute different hashes as a result. Trying to reconcile that is going to be a mess and cause people to lose confidence in the system. My Server saw Joe's vote arrive at 11:01pm, but your server claimed it didn't arrive until 12:15am. Clearly you have a bug in your server's queue so I question every vote you tally or refuse to tally beginning at 11pm.

Security quotes of the week

Posted Feb 14, 2013 16:40 UTC (Thu) by davidescott (guest, #58580) [Link]

I'll back up a bit and challenge a more fundamental assumption:
> You'd still get improved count efficiency and consistent audit trails.

Count efficiency. Who says that is a problem? The vote is in November the but politicians don't begin serving until January. That leaves plenty of time to count and recount and recount again, and yet again. The only times that the outcome has been in doubt is when there is some disagreement about what constitutes a proper vote or a proper voter. ie hanging chads or provisional ballots. There are still "hanging chads" with electronic voting where the touchscreen gets miscalibrated or the machine crashes, and provisional ballots are entirely unaffected by electronic systems.

A judge isn't going to care that he can order up a spreadsheet that lists the winner and loser under a bunch of different potential rulings (ie we count the votes from Machine 23875 that failed in district 12, but not from machine 12123 in district 8 that was miscalibrated). In many ways the plausible existence of such a spreadsheet makes things worse for the judge. Its much easier to defend a ruling that says "count the hanging chads as yes" when you don't know for sure what the outcome will be.

Consistent Audit Trails. What makes a bunch of computer records a substantially better audit trail than a big heavy stack of papers in boxes that have to be physically moved around and physically manipulated to introduce fraud. In what way do we currently fail to have a consistent audit trail?

Security quotes of the week

Posted Feb 8, 2013 9:04 UTC (Fri) by micka (subscriber, #38720) [Link]

You should really add

(d) secrecy : nobody know what you voted except you, not even assessors/officials

"I, ZZZ, vote for XXX at time YYY" doesn't work.

Security quotes of the week

Posted Feb 14, 2013 16:50 UTC (Thu) by davidescott (guest, #58580) [Link]

I'll take the contrarian position and argue that secrecy is bad for elections. It grants politicians a monopoly on corruption and denies it to Joe Public.

There seem to be two arguments for secrecy one is to prevent a "Boss Tweed" system. I don't see how that would be so much worse than what we currently have. We have a Boss Tweed system where big corporations make donations to politicians who use that money to run ads and convince people they will help them and then do nothing of the kind because they know what side their bread is buttered on.

If a big corporation could instead just buy the votes of the poor in mass, the result might still be the same but at least the poor are getting some benefit from their vote and the corruption will be a lot more obvious. I see that as a win.

The other "secrecy is a requirement" argument comes from authoritarian dictatorships, but those systems don't have a legitimate vote counting process to begin with. Secrecy allows those dictators to claim that the results are correct and prevents independent agencies from demonstrating that they are fradulent. The UN can say "lots of boxes which we suspect were for the opposition were loaded into a truck and disappeared so we decertified the election" but they can't say that they were in fact for the opposition.

If everyone voted publicly in those countries then the dictator might be forced to choose between stepping aside and recognizing the correct count, or mass slaughter on a regular basis of those who publicly try to subvert his authority.

Security quotes of the week

Posted Feb 14, 2013 17:05 UTC (Thu) by mpr22 (subscriber, #60784) [Link]

I'm sure that the UVF and the Provos would both have loved to have a public roster of who voted which way in Northern Ireland during the Troubles.

Security quotes of the week

Posted Feb 14, 2013 20:17 UTC (Thu) by davidescott (guest, #58580) [Link]

> I'm sure that the UVF and the Provos would both have loved to have a public roster of who voted which way in Northern Ireland during the Troubles.

And would that have lead to a meaningful difference in the outcome or a substantially greater loss of life? It was already a violent period so would it make much of a difference if the violence was better targeted?

I don't know that I've seen anyone address that question directly. Everyone assumes that privacy is a requirement, and that makes the process of creating a secure, reliable, and understandable electronic voting system essentially impossible.

I'm not in favor of electronic voting in general because I don't think paper voting is that bad, but if on insists on exploring the idea you might as well explore a more substantive change in the way we vote and challenge all the assumptions to make sure you have the correct system requirements.

Security quotes of the week

Posted Feb 8, 2013 9:45 UTC (Fri) by jezuch (subscriber, #52988) [Link]

> Technologically, sure. But you need to have (a) a public record (everyone can see what they voted), (b) privacy (nobody can see what anyone else voted for), (c) accessibility (nobody needs special ID or keys or anything). And you need a simple enough system that people will trust you when you tell them that these points are satisfied.

I'd suggest you examine how Debian handles voting. I'm not extremely familiar with how it works, but AFAIK it provides (a) and (b), but fails (c) (you have to be part of the Debian's Web of Trust to have your signature accepted) and arguably simplicity (because they use Condorcet's method). I think the Project Secretary is the weak link, because someone has to decrypt the actual votes and count them, so there is a possible leak there. But it's OK because everybody trusts the Secretary :)

Security quotes of the week

Posted Feb 9, 2013 1:45 UTC (Sat) by ghane (subscriber, #1805) [Link]

How does the current, paper-based, non-internet system hold up to these requirements?

> But you need to have (a) a public record (everyone can see what they voted),

Not possible, you do not get a copy of your ballot

> (b) privacy (nobody can see what anyone else voted for),

More or less guaranteed that public members will not have access to your vote

> (c) accessibility (nobody needs special ID or keys or anything).

In most countries that I have been in, you do need ID (in some countries like India you need a "special" ID).

Also, in most countries with paper ballots, ballots are numbered, and the counterfoil has your name on it. So although the person counting the votes does not know which is who, in principle (and during allegations of fraud) a court can match each person to a ballot.

> And you need a simple enough system that people will trust you when you tell them that these points are satisfied.

Yes. We do not need a foolproof system, just one that is good enough.

There _will_ be election fraud. We can hope that most will be detected, and punished. That is all that a good system requires, I think.

Security quotes of the week

Posted Feb 9, 2013 19:34 UTC (Sat) by nix (subscriber, #2304) [Link]

Having a public record of the vote is extremely dangerous, since it means that you can prove to other people how you voted.

Let's rephrase that. It means that other people can demand you prove to them how you voted, and punish you if you didn't vote the way they wanted you to.

Having a public record of the vote is only acceptable if you are permitted to forge it freely, and no record of that forgery is kept. Then you could vote one way and tell your coercer that you voted the other, and the coercer would be none the wiser. (This only works as long as the ballot is secret too, of course.)

This sort of thing is why a lot of countries make it a criminal offence to take photographs inside the voting booth.

Security quotes of the week

Posted Feb 9, 2013 20:25 UTC (Sat) by apoelstra (subscriber, #75205) [Link]

> Having a public record of the vote is extremely dangerous, since it means that you can prove to other people how you voted.

On the other hand, having no public record means that the vote-counters can change your vote and you'd be none the wiser.

> Having a public record of the vote is only acceptable if you are permitted to forge it freely, and no record of that forgery is kept. Then you could vote one way and tell your coercer that you voted the other, and the coercer would be none the wiser. (This only works as long as the ballot is secret too, of course.)

I'd bet money there's some combination of asymmetric crypto and hash tricks that would let you:

1. Vote as many times as you want, choosing which vote is the "real" one.
2. Publicize the entire voting record so that it's possible for anyone to sum all real votes.
3. Despite (2), nobody can tell which votes are real, even their own, nor can anyone tell how many times somebody voted.

Then if the algorithm and voting record were both publicized, you'd be assured that your vote was correctly counted (because you trust the algorithm, not because you can read the record).

With only these three points, maybe the government could drop votes from the record selectively. (Drop vote, recount. Didn't help me? Put it back, drop the next one, recount...).

But this could be solved if you could also "vote" a signature of others votes. You'd encrypt this signature with some secret. Then, say, your local watchdog group could sign the votes of you and all of your friends. If your votes go missing or the signature goes missing, the watchdog will notice and publicize the secret needed to verify this. Otherwise, the watchdog does nothing and nobody even knows what was signed.

You could even be your own watchdog, though if a lone guy is saying "my signature is bad, they're tampering!" people would likely assume he just did the signature wrong and ignore him. But if the ACLU were to say this, that would be a big deal. And since nobody could match the signature to the watchdog until their secret was published (after the election), any tampering would therefore run a risk of being noticed.

Security quotes of the week

Posted Feb 9, 2013 21:50 UTC (Sat) by renox (subscriber, #23785) [Link]

>On the other hand, having no public record means that the vote-counters can change your vote and you'd be none the wiser.

which is why on 'normal' votes, you can attend the vote-counting..
Not possible of course with 'Internet' votes or machine voting, both are of course very bad ideas.

Security quotes of the week

Posted Feb 11, 2013 23:56 UTC (Mon) by nix (subscriber, #2304) [Link]

Yes, there are indeed such crypto tricks. Unfortunately, they fall foul of another requirement of voting systems: that they must be understandable by the common voter. If only Ron Rivest and his fellow crypto deities can understand said system and be satisfied that it is secure, then the thing is useless, be it ever so wonderful.

Security quotes of the week

Posted Feb 12, 2013 2:18 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

It's pretty simple - the system randomizes the order of candidates and you get only one part of it.

Security quotes of the week

Posted Feb 10, 2013 0:01 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

There are systems that allow to check that all votes are registered correctly and that can't be used to identify individual voters.

Security quotes of the week

Posted Feb 14, 2013 17:05 UTC (Thu) by davidescott (guest, #58580) [Link]

Very Complex systems. ie most people won't check, and it would be reasonably easy to predict those who might check.

In a country where 50% of the people don't vote and don't care because they recognize it doesn't make a difference who they vote for this means that:
a) You can fraudulently insert votes from individuals who didn't vote and expect them not to check and verify that there vote was not recorded.
b) [Potentially] Change votes of some voters who match certain criteria (unemployed, not connected to a politically active group, low education) and reasonably expect that they will not attempt to verify their vote matches what they claim to have voted for.
c) If anyone does step forward brush them aside as a crackpot.

There is also a strong incentive for a reverse attack on the system from the losing side.
a) If you know you will lose cast the wrong vote (ie vote for the winner or somehow spoil your vote).
b) Complete the protocol for the correct vote to try and introduce an inconsistency in the tabulation.
c) Complain that the election is rigged. Most people won't understand the arguments one way or the other and come down on the side of their party in believing that either the voter screwed up (if they favor the winner) or that the election is rigged (if they favor the loser).

Security quotes of the week

Posted Feb 11, 2013 1:41 UTC (Mon) by ras (subscriber, #33059) [Link]

Secure electronic voting from a polling booth is theoretically a solved problem. The keywords to search upon are "end to end verifiable voting". Like all good crypto protocols, these at first appear to do the impossible. They do not depend on trusting the voting machines, the counting process the people or anything else in the middle. Thus they don't require open source to work. They do publish every vote so voters can verify their vote has been counted, but they do so in a way that preserves anonymity and prevents voters from selling their vote.

At lease one state in Australia (Victoria) is implementing it now - this was covered in a talk at LCA 2013. They are using the Prêt à Voter scheme, which sadly they omitted to mention in their talk. Possibly not the best detail to omit at an LCA conference. Instead they talked about what is I guess their most pressing problem - creating an interface for a voter who is possibly blind, or deaf, or can't write - maybe because they have Parkinson’s disease.

This paper covers a lot of detail omitted in the talk: https://www.vec.vic.gov.au/files/RP-EVT.pdf


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds