How it works

January 25, 2007 at 4:59 pm | Posted in Explanations | 11 Comments

Note: This is how the process is intended to run.

Opening

The voting process starts at the time specified by the COMELEC. This time will be the same for all the countries – if any, of course -involved in the election

Voter authentication

The authentication mechanism (the same mechanism based on credentials described above) is as follows:

· Using a web browser, the voter connects through a secure channel (e.g., HTTPS) to the voting web page containing the Voting Client (an applet).
· The cryptographic operations of the voting protocol will be performed by this applet. In case the browser does not support the execution of applets, this restriction is detected and the voting process will use a servlet approach for the Voting Client (the same cryptographic operations will be performed but in a server component).
· The voter introduces the voter credentials (e.g. a voter id and password). The applet sends the voter id to the authentication manger that responds sending the voter credential key container.
· The password is then used by the Voting Client for accessing the private key of the credential. This private key is used to authenticate the voter through the authentication manager (strong authentication). If the key is correct, the web browser will display the personalized ballot contents for all races assigned to the voter.

Voting options selection

The voter selects the voting options using the mouse, keyboard or any other pointing device.

Vote encryption

When the voter has made his selections for all the races and is ready to cast the vote, the selected voting options are shown by the Voting Client for confirmation. If the voter confirms them, the vote is encrypted using the election public key. The encrypted vote is then digitally signed using the voter credential private key and sent to the Voting Server located in Manila. The Voting Server verifies if the vote is valid and stores it in the digital ballot box. A confirmation message is sent back to the voter.

Receipt generation

During the encryption of the vote, a unique ballot identifier is randomly generated by the Voting Client. This identifier is also encrypted with the vote and therefore cannot be seen by anyone (with the exception of the voter) until the vote is decrypted by the Central Electoral Board during the Mixing process. This identifier, previously masked by cryptographic means, is sent jointly with the encrypted vote to the Voting Server. If the vote is accepted, the Voting Server digitally signs the masked identifier and returns it inside the confirmation message. The Voting Client uses the unique identifier and the digital signature of its mask to generate a voting receipt that can be printed by the voter. This receipt allows the voter to verify if the vote is present when the contents of the digital ballot box are decrypted by the Central Electoral Board. It is important to note that the receipt does not disclose the selected voting options to prevent the possibility of vote selling or voter coercion.

Closing

The voting process stops accepting votes at the time specified by the COMELEC (May 14th, 2007, at 15:00 Manila local time). Voters in the process of voting when this occurs (already logged in) will be granted the configured session duration time to complete the casting of their votes (this margin is configured during the pre-election configuration and is the same for all voters).

Results
Mixing and Canvassing

After the election is automatically closed, the digital ballot boxes collected by all instances of the Voting Servers are exported and securely transferred to the Mixing Service. This service will be located at the COMELEC’s main offices in Manila.

The digital ballot boxes contain the digitally signed and encrypted votes. The entire digital ballot box file is also digitally signed to prevent the deletion of votes.

Once all the digital ballot boxes are transferred to the Mixing Service, the digital signature on each encrypted vote contained in the ballot boxes is checked to verify that it corresponds to a valid voter. Optionally, a Certificate Revocation List can be used to ensure that the voter credentials have not been revoked. After this process, the Central Electoral Board (or at least, the minimum pre-defined number of its members) must get together to reconstruct the election private key in order to initiate the Mixing Process. This Mixing Process is used to remove the digital signatures from the votes and break the correlation between the encrypted votes and the identity of the voters in order to protect voters’ privacy.

The output from this Mixing Process in the OAV Project is twofold: encrypted votes without digital signatures and the unique ballot identifiers of the voting receipts.

The encrypted votes obtained from the Mixing Process are placed in a server where the authorized Post officials can retrieve them using a web browser, a secure connection and a cryptographic key unique for each Post. Each Post can then proceed to count all the votes cast by OAVs in its country/region.

The votes cast by each voter will be printed by each Post. Each printed vote includes a serial number (to avoid the destruction of votes) and two bar codes: one to facilitate the tallying process and another consisting of a digital signature to proof that the hardcopy of the vote is valid.

The other output of this process is a list of questionable encrypted ballots (if any) which require further investigation in order to be accepted or rejected by the Central Electoral Board. An example of this category of ballots would be those that correspond to credentials that had been previously revoked.

Voter verification

The voting receipts obtained from the Mixing Process (as described above) are made publicly available through a website. Voters can then individually verify (if they wish) whether the unique ballot identifiers of their receipts are included in the list of published receipts. The ballot identifiers were randomly generated in the voters’ Voting Clients and, therefore, were only known to the voters. The presence of a ballot identifier on the list of published receipts means that the corresponding encrypted vote reached the Central Electoral Board.

In order to prevent voters from filing false claims using fake receipts, voters are required to present the digital signature provided as part of the receipts to proof the authenticity of the receipts.

Auditing

The Internet voting platform to be used will include several features to facilitate the audit of the election before, during and after the electoral process:

· The source code can be reviewed by the COMELEC (or designed third party auditors) under a non-disclosure agreement.
· All the software components of the e-voting platform can be digitally signed for integrity and authentication purposes.
· The e-voting platform records logs of all voting transactions, and protects these logs using a special cryptographic mechanism to ensure its authenticity and integrity. Therefore independent auditors can check the accuracy of the logs before starting the audit process.
· The voter, as explained before, can individually check whether his vote was used in the final canvassing, without revealing his voting options.
· Any of the previous audit processes can be implemented without compromising the election accuracy and voters’ privacy.

Advertisements

11 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Sir, some valid objections/points are raised in this blog, care to comment? http://technews-isaw.blogspot.com/2007/01/is-philippines-ready-for-internet.html

  2. Thanks for the heads up jun. I’ll look up the blog and report back here soon as I can.

  3. Dear All,

    We understand that there are some concerns over the security of Internet Voting. It is also great to see the community showing interest in the topic. I like to assure you that the proposed solution is reliable and secure. The issues highlighted here had also been considered in the design. We also wish to clarify the doubts and uncertainties that you may have on the solution. Please write in to us at asia-pacific@scytl.com for your queries

    Yours Sincerely,
    Scytl Technical Team

  4. 26Jan2007 (UTC +8)

    Diebold also kept insisting that their electronic voting systems were secure. Even until the very moment that the state of California state got mad. I used to live there, and I remember this being a hot issue back then.

    In 2003, Bev Harris (an “Erin Brockovich” of elections) and a colleague filed a lawsuit against Diebold Election Systems, resulting in Diebold paying $2.6 million in restitution to the state of California for making false claims in selling its voting system to Alameda County, the first successful litigation against a voting machine manufacturer in the United States.

    Trust, is a very precious & rare asset.

  5. SCYTL

    How do you deal in the event of MAC spoofing? How about [D]DOS on the local routing or on the server itself?

    The only way I see of this ever working is if you have a separate and direct satellite up-link/down-link. Still, just throw in $1000 wireless router + power output hack and its easy to block any satellite and even cellphone signals within a couple of blocks radius. Finally, its impossible to trace if placed on a moving vehicle.

  6. While the “How It Works” is very impressive with all the authentication, encryption and security features available with the system, how will it solve organized vote buying? If I was a savvy elections operator working for a political party say in Singapore, I can put out word that I am willing to buy votes in exchange for you giving me your PIN and/or password. Then, I can at the convinience of the internet, key in my desired votes. I am now in control and no amount of proprietary security measure can deter me from doing what I want to do. This counter is very low tech but what is your solution to this?

  7. As a follow up, I understand that internet voting will provide convinience to our felow overseas voters and solicit more participation. But at the same token, internet voting also provides savvy operators a convinient tool through organized vote buying to commit fraud. This is even worse than vote buying in the manual system because then the voter buyer cannot verify what the “bought” voter actually voted. With internet voting, the ill willed operator is assured that the votes he bought will be in his favor.

  8. 27Jan2007 (UTC +8)

    Neuralfive, Scytl’s “How It Works” is not actually impressive. In the course of my career , I led a penetration test team that hijacked an HTTPS session (Yes, you read that right. An encrypted web-based session “secured” with stuff by a trusted certificate authority), reverse-engineered login applets, and were able to view transactions on the back-end (mainframes, I’m led to believe). We were only doing read-only because that was the max permission given to us. Oh yeah, since we were tunneling inside HTTPS connections, no Intrusion Detection Systems nor firewalls were able to stop us. And after the project, we destroyed ALL source code we wrote, as well as screen caps, documentation, notes… everything.

  9. 27Jan2007 (UTC +8)

    Then there was another attack vector we took, with us creating a custom, but highly-controlled Trojan Horse software (yes, just a simulation of malware) where our objective was to take over the entire LAN of a whole office floor. Needless to say, no anti-virus even detected our attack, because it didn’t match any of the virus signatures they were expecting. Our software resided only in memory, so upon reboot or 24-hours, it was gone. No writes to disk 🙂 And of course, every evidence of our work was destroyed after the pentest project.

    My point is, all this (in)security technology mumbo-jumbo isn’t really worth anything worth anything if a proper risk assessment isn’t made.

  10. 27Jan2007 (UTC +8)

    Here’s a funny story… still relevant to the infosec students in all of us 🙂

    Just after Christmas 2006, we were engaged by an American company (based in Washington, DC) to do a Internet pentest in two California offices and one in New York. We were stopped dead cold because of the Taiwan earthquake! Eventually we worked around that problem, but funny to me (now), nonetheless.

    Sorry for the off-topic, as I just get “interested” sometimes by marketing statements that promise everything, but actually, may not be able to.

  11. ford sacramento


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: