Electronic Voting Network Security - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Electronic Voting Network Security

Description:

First nationwide attempt at electronic voting in 2004 Presidential Election ... Election security in a modern context. Recent election chosen solely because it ... – PowerPoint PPT presentation

Number of Views:105
Avg rating:3.0/5.0
Slides: 26
Provided by: katies8
Category:

less

Transcript and Presenter's Notes

Title: Electronic Voting Network Security


1
Electronic Voting Network Security
  • Edward Bigos
  • George Duval
  • D. Seth Hunter
  • Katie Schroth

2
Outline
  • Introduction Overview
  • Network Definition
  • Funding Certification
  • Security Concerns
  • Recommendations
  • Conclusion

3
Introduction
  • Election security is a historic concern
  • Decides who has power and control
  • Often a heavily distributed process
  • Ancient Greeks cast secret, fully-auditable
    ballots
  • Several important components
  • Anonymity of votes
  • Authentication of voters
  • Integrity of votes
  • Result tampering
  • Result validation

4
Overview
  • First nationwide attempt at electronic voting in
    2004 Presidential Election
  • PC-based DRE Voting Machines and Central
    Tabulators
  • Network security concerns exist at the Central
    Tabulators and their links to voting machines
  • Network capability just as important as actual
    usage
  • Disclaimer NOT a political argument
  • Election security in a modern context
  • Recent election chosen solely because it was the
    first large-scale rollout of such technology

5
Network Definition
  • Legacy voting machines
  • Punch card readers
  • Optical scanners
  • Direct Recording Electronic (DRE) machines
  • AccuVote-TS
  • Central Tabulators
  • Diebold GEMS
  • Network capabilities
  • Ethernet NIC
  • Dial-up modem commonly used.
  • Occasionally, wireless NIC!
  • Little to no protection, and enabled by default.

6
Funding And Certification of E-voting systems
7
Significance
  • Need to determine How and Where the money comes
    from to upgrade the voting systems.
  • Who and What establishes the Standard that the
    new machines are tested against

8
HAVA, NASED and the ITA
  • Help America Vote Act (HAVA)
  • Formed from the Federal elections commission to
    funnel funds to upgrade voting equipment
  • National Association of State Election Directors
    (NASED)
  • Formed out of the Election Assistance Commission
    to help standardize the evaluation of Equipment
  • Independent Testing Authorities (ITA)
  • Specialists hired to test the HW and SW of the
    new Electronic Voting Equipment.

9
Independent Testing AuthoritiesPot-holes in the
system
  • Wyle Labs were used for the HW testing
  • Left security to be tested by the manufacturer
  • Ciber Inc Hired to test SW
  • Penetration and security tests Not Applicable

10
Integrity and Security Concerns
  • Vote Integrity
  • Entry point Problems
  • Punch Cards, Optical Scanners and DREs
  • Rogue Voting Machines
  • Vulnerable to malicious attacks like
  • Network Access, Authentication,
    Man-in-the-Middle, Desynchronization
  • Eavesdropping
  • Line taps, Packet sniffing and Man-In-The-Middle
  • Result Tampering

11
Hypothetical Tampering
  • Tampering with out notice
  • Point of Entry National Election Poll
  • Assume a direct link to the Central Tabulators
    are accessible to NEP workers
  • Gains Access to the network
  • Accesses the Database
  • Likely Suspects
  • NEP poll worker or a Technician familiar with the
    manufacturing of the voting equipment

12
Security ofElectronic Voting
13
Notable Security Reviews
  • Hopkins Report
  • Review of voting terminal security.
  • SAIC Report
  • Management controls
  • RABA Report
  • Actual security tests.

14
Hopkins Report
  • In depth review of C source code left on an
    open Diebold FTP server.
  • Suggested several potential attacks.
  • cryptography, when used at all, is used
    incorrectly
  • Hard coded encryption key F2654hD4. Same since
    1998 !
  • Even unsophisticated attackers can perform
    untraceable man-in-the-middle attacks.

15
Key Points from the Hopkins Report
  • Key Management
  • a hard coded key
  • define DESKEY ((des_key)"F2654hD4")
  • Encryption
  • implementation always uses zero for its IV.
  • DesCBCEncrypt((des_c_block)tmp,
    (des_c_block)record.m_Data, totalSize,
  • DESKEY, NULL, DES_ENCRYPT)
  • Message Authentication
  • 16-bit CRC of the plaintext data is an un-keyed
    public function
  • CRC is stored with the Cipher text in the file
    and read whenever its decrypted and verified.
  • Problem is that the cipher text shouldnt be
    stored with the CRC in an unencrypted form.

16
SAIC Report
  • Management and policy, not a technical review.
    Commissioned by MD Governor Ehrlic.
  • Suggested the use of controls tamper tape.
  • Dr Rubin did not have a complete understanding
    of Marylands implementation, process, controls
    and environment.
  • Conclusion Systems at high risk, but risk could
    be mitigated by management controls.

17
RABA Report
  • Reviewed critiqued the Hopkins SAIC.
  • Hopkins report substantially correct.
  • Agrees with the evaluation that the election
    station software code quality is poor.
  • RED TEAM laboratory exercise.
  • Used current Diebold source and actual
    AccuVote-TS hardware (January 2004).
  • Poor security related to DES key (F2654hD4) and
    administrative password (1111) still unchanged in
    newest versions.

18
Recommendations
19
Plug Most Severe Network Security Vulnerabilities
  • DRE Voting Machines
  • Mandatory paper ballot receipts
  • Ensuring that a proper recount can be conducted
  • Finding a compromised DRE does not mean lost
    votes
  • Central Tabulators
  • Open Source Code
  • Eliminating the need for ITAs
  • Ensuring secure software solutions

20
Policies Regulations
  • Audit Reform
  • Require a standard for recognizing the need for a
    recount
  • Prohibit Direct Feeds into Central Tabulators
  • Only as strong as the weakest link
  • Other network feeds increases vulnerability

21
Conclusions
  • Defined the system components of the election
    network
  • Discussed financing and certification
  • Explained network security concerns for the
    system components
  • Suggested first steps to improving network
    security

22
Backup
23
Key Management
  • Code snippet reveals a hard coded key
  • define DESKEY ((des_key)"F2654hD4")1
  • 1 Kohno, Stubblefield, Rubin, Wallach.
    Analysis of an Electronic Voting System. IEEE
    Symposium on Security and Privacy 2004. IEEE
    Computer Society Press, May 2004.

24
Encryption
  • Another code sample of the GEMS software source
    code shows that the implementation always uses
    zero for its IV.
  • DesCBCEncrypt((des_c_block)tmp,
    (des_c_block)record.m_Data, totalSize,
  • DESKEY, NULL, DES_ENCRYPT)11
  • A Null in the argument forces the DesCBCEncrypt
    to use all zeros.
  • strong random numbers are required for each
    encryption of CBC mode.

25
Message Authentication
  • 16-bit CRC of the plaintext data is an un-keyed
    public function
  • CRC is stored with the Cipher text in the file
    and read whenever its decrypted and verified.
  • Problem is that the cipher text shouldnt be
    stored with the CRC in an unencrypted form.
  • Better to first encrypt the data to be stored and
    then to compute a keyed cryptographic checksum of
    the cipher text.
  • The checksum could then be used to detect any
    tampering with the plaintext.
  • Since each entry has a timestamp, it can be used
    to detect reordering
Write a Comment
User Comments (0)
About PowerShow.com