11/28/07

E-voting: Analysis of an Electronic Voting System

Properties of a voting system
   - Vote integrity
        - Tamper-proof, or
		- Verifiable
   - Anonymity for the voters
   - Repudiability
      
How can repudiability be beaten by the mob in a physical system?
   You are asked to fill out an empty ballot while the mob is watching and
   then you bring back an empty ballot.

What makes it difficult to fullfill these properties in electronic voting systems?
   Hard to get both reliability and verifiability
 
What are the componentts of the Diebold AccuVote voting system?
   You have a server with a network connection to a terminal that takes a smartcard.
   The smartcard can either be a reader or admin card.

Vulnerabilities found in Diebold AccuVote
   - Smartcards w/o cryptography
   - communication is in plaintext
      - attacker can sniff passwords
   - difference between voter and admin card is just one byte

Vulnerabilities in terminal
   - stores votes sequentally on the terminal (confidentiality)
      - only randomized on the server 
   - ballot definition file unauthenticated (integrity)
   - total  number of votes stored in a fil

How did they abuse cryptography?
   - keys embedded in source code
   - the key is only ascii characters because it is a string
   - they use DES which is easy to crack through brute force
   - they use the symmetric key system algorithm wrongly

These errors made it easier to guess the key even if the key was not
embedded in the code.

How did they use symmetric key cryptography wrongly?
   - Diebold use a CBC symmetric key algorithm which requires a random
    seed in order to work properly. They allways used '0' as that seed.

Criticisms of the voting paper:
  - it examines a cvs version which is not necessarily the real shipped
  system (cross-examination with a paper that had access to the real source makes
  it likely though that this is the case)