strasbourg – how to create trust-1 © g. skagestein november 2006 how to create trust in...
TRANSCRIPT
Strasbourg – How to create trust-1© G. Skagestein November 2006
How to create trust in electronic voting
over an untrusted platform
A possible solution and its implications with regard to the Recommendation
Gerhard SkagesteinUniversity of Oslo
Development in the field of e-voting
Council of Europe
Strasbourg 23-24 November 2006
Bregenz-2© G. Skagestein November 2006 Strasbourg – How to create trust-2
The background
In 2004, the Norwegian Ministry of Local Government and
Regional Development appointed a working group for
giving recommendations on the future of electronic
elections in the country.
The results were published in January 2006, see the report
Electronic voting – challenges and possibilities
– see http//:www.e-valg.dep.no
This presentation discusses one important topic in the
report, namely how to achieve trust in e-voting over an
insecure system like a home PC connected to Internet.
Bregenz-4© G. Skagestein November 2006 Strasbourg – How to create trust-4
Some basic principlesThe working committee maintains that
Traditional paper voting should coexist with e-voting
e-voting should be available only during the advanced voting period (called phase 1))
i.e.: No e-voting on Election Day (called phase 2)
Same technological solution for e-voting in both supervised and unsupervised environments
o Same program –> same user interface, same operational procedures, same security measures, less amount of programming code to maintain, test and certify
o i.e. a technical solution must be feasible in unsupervised environments, even though it may be used only in supervised environments
Bregenz-5© G. Skagestein November 2006 Strasbourg – How to create trust-5
e-voting in supervised environments
DatanettDatanet
VoterBallot-
receiving server
BallotsVotingclient
Supervised environment, trusted system
Verifi-cation
log
Bregenz-6© G. Skagestein November 2006 Strasbourg – How to create trust-6
e-voting in unsupervised environments
How can we achieve the voters trust in the complete system when a part of it is not trustworthy?
How can we establish a trustworthy Verification log?
DatanettDatanet
VoterBallot-
receiving server
BallotsVotingclient
Unsupervised environment, partly untrusted system,voter has no possibility for immediate inspection of the verification log
Verifi-cation
logUntrusted system
Bregenz-7© G. Skagestein November 2006 Strasbourg – How to create trust-7
Some observations…
If you have something that you do not completely trust,
you compensate by trying to build in security into the
levels above
Why do we trust Internet banking?
o we can check the statement of account
o if something goes wrong, the bank takes the blame
(usually).
Bregenz-8© G. Skagestein November 2006 Strasbourg – How to create trust-8
Possible e-voting solutions
Redundancy:
Let the voter send several ballots, possible through
different channels, and let the system compare notes
o Cumbersome for the voter
o The voter may still feel insecure
Feedback control:
Let the voter inspect the ballot as it is registered in the
trusted part of the system
(analogous to checking the statement of account
in Internet banking)
Bregenz-9© G. Skagestein November 2006 Strasbourg – How to create trust-9
Feedback through another channel
DatanettDatanet
VoterBallot-
receiving server
BallotsVotingclient
Verifi-cation
logUntrusted systems
But what about the secrecy of the vote?(The Recommendation, Standard 17)
Ballot-inspecting
serverSMS-nettSMS-net
Trusted system
Bregenz-10© G. Skagestein November 2006 Strasbourg – How to create trust-10
Multiple casting of ballots
DatanettDatanet
VoterBallot-
receiving server
BallotsVotingclient
Verifi-cation
logUntrusted systems
Voter is allowed to send several ballots – only the last one is regarded as the e-vote
Voter may override any e-vote by a traditional paper ballot on Election day
Ballot-inspecting
serverSMS-nettSMS-net
Vote-extracting
server
VotesRun only when
election is closed
Bregenz-11© G. Skagestein November 2006 Strasbourg – How to create trust-11
On Election Day…
… the Election officials will have access to an updated Voter
register, where the e-voters have been marked
When an e-voter shows up in the polling station,
the Election official will send an ”annul-ballot”-message to the
e-voting system before allowing the voter to vote by traditional
means (i.e. anonymous paper ballot in a supervised environment)
Bregenz-12© G. Skagestein November 2006 Strasbourg – How to create trust-12
Several ballots from the same voter? Why?
o Alleviates the ”family-voting” problem
o Alleviates the vote-buying/selling problem
o Maintains a certain level of secrecy – even when ballot-inspection is possible
…because nobody can know whether the current ballot will be the final one
o Technically, it comes next to free – as a side effect of the mechanism to ensure only one valid vote from each voter
Why not?
o May reduce the solemnity of voting
o Must maintain the connection between the voter and the ballot until the end of the election (increased risk of loss of secrecy)
Bregenz-13© G. Skagestein November 2006 Strasbourg – How to create trust-13
What about the secrecy of the vote?
Wouldn’t this solution increase the risk for disclosing the
secret vote to other people?
Yes, but
the ballot-inspection server should authenticate the voter
just as thoroughly as the ballot-receiving server
with the session key (see later), the ballot can only be
inspected, not modified
it is the responsibility of the voter to keep the session key
unavailable to other people
if the ballot is disclosed, there is no way to know whether
this is the final ballot and the vote to be counted
Bregenz-14© G. Skagestein November 2006 Strasbourg – How to create trust-14
The technical solution
The technical solution builds upon the principle
of hybrid cryptography
Bregenz-15© G. Skagestein November 2006 Strasbourg – How to create trust-15
The hybrid crypto principle
Symmetric cryptography: The same key is used for encryption and decryption of the message
Asymmetric cryptography: One key of a key pair is used for encryption, the other key of the key pair for decryption of the message
Hybrid cryptography:The message is encrypted symmetrically by a randomly selected session key, which is then encrypted asymmetrically.To decrypt, the session key is decrypted asymmetrically, then the message is decrypted symmetrically with the session key.
Bregenz-16© G. Skagestein November 2006 Strasbourg – How to create trust-16
The session key
Hybrid crypto with a session key is traditionally used for
efficiency reasons
In this solution, we use the session key also to allow the voter to
inspect his registered ballot
To be able to inspect the ballot, the voting client must keep the
session key
For inspecting the ballot through other channels, the session
key must be transferable to the client on the other channels
Bregenz-17© G. Skagestein November 2006 Strasbourg – How to create trust-17
Encryptedballot
Ballot Encrypting with the session key
Digital signing with voter’s private key
Digitally signed, encrypted ballot
Ballot database
Electronic voting with ballot-inspectionEncrypting with
the public key of election event
Removing outer envelope with
voters public key
Decrypting ballot with the session key
Ballot(as registered)
Vote countingG. Skagestein et. al: How to create trust in electronic voting over an untrusted platform.In Krimmer, R. (Ed.): Electronic Voting 2006, GI Lecture Notes in Informatics, P-86, Bonn, 2006.
Election event key pair
Voter’s key pair
Session key
Bregenz-18© G. Skagestein November 2006 Strasbourg – How to create trust-18
Envelope opening Ballot database
Vote extraction
Encrypted anonymous
e-votes
Verification of digital signature
with voters public key
List of e-votersto be marked in
the voter register
Decrypting the session key with the private key of the election event
e-votesto be counted
Decrypting the votes with the session keys
Votes
Voterregister
Bregenz-19© G. Skagestein November 2006 Strasbourg – How to create trust-19
DatanettDatanet
SMS-nettBallots
Ballot-storage server
Voterregister
Ballot-inspection server
Ballot-annulling serverElection official
Voterregister
Ballotforms
Voting clientVoter
SMS-net
Fire-wall
annul-ballotmessage
annuling (”red”)envelope
Ballot-receiving
server
Untrusted system
Architecture of the e-voting system
to the vote-counting system
annul
Verifi-cation
log
Bregenz-20© G. Skagestein November 2006 Strasbourg – How to create trust-20
Election is closed – time to count
Valid-vote extracting server
constituency
Vote-counting server
Securitymodule
Integration of ballot files
Electronic ballot box
Private key ofelection event
Electronic votes list
Voterregister
Checkedvoter
register
From the e-voting system
in case of distributed storage of ballots
Ballots
annul
Bregenz-21© G. Skagestein November 2006 Strasbourg – How to create trust-21
Identification and authentication of the voter
Identification and authentication of the voter should be done by
a generally available PKI-system (citizen identity card)
o cheaper that a special purpose election credential
o the voter will not be tempted to sell it
The e-vote may be connected to the voters real identity,
or to a derived pseudo-identity
o the working committee recommends using the real identity,
since this makes the annulment of e-votes on Election Day
easier if the voter wants to cast a paper ballot
Bregenz-22© G. Skagestein November 2006 Strasbourg – How to create trust-22
Basic Design Principles
e-voting is allowed in phase 1 only
Repeated casting of e-ballots is allowed
– last ballot counts
(The Recommendation Standard 5?)
The e-voter is allowed to inspect his e-ballot as it is registered
(The Recommendation Standard 17?)
Traditional voting with paper ballots in supervised environments on
Election Day (phase 2) is maintained
Any paper ballot takes precedence over the e-ballot
Bregenz-23© G. Skagestein November 2006 Strasbourg – How to create trust-23
Summary We have shown that by relaxing the requirement for an absolute
secrecy of the vote, the vote as registered may be inspected by the voter
This possibility for inspection gives the voter trust in the untrusted part of the system
The loss of secrecy is compensated by the possibility to revote, even by traditional means on Election Day
The Election Day should be kept free of any kind of e-voting
The coexistence of e-voting and traditional paper ballot voting makes a soft transition possible
The solution complies with the intentions of the Recommendation, although not always with its wording.
Some rewording in the Recommendation?