How it worksJanuary 25, 2007 at 4:59 pm | Posted in Explanations | 11 Comments
Note: This is how the process is intended to run.
The voting process starts at the time specified by the COMELEC. This time will be the same for all the countries – if any, of course -involved in the election
The authentication mechanism (the same mechanism based on credentials described above) is as follows:
· Using a web browser, the voter connects through a secure channel (e.g., HTTPS) to the voting web page containing the Voting Client (an applet).
· The cryptographic operations of the voting protocol will be performed by this applet. In case the browser does not support the execution of applets, this restriction is detected and the voting process will use a servlet approach for the Voting Client (the same cryptographic operations will be performed but in a server component).
· The voter introduces the voter credentials (e.g. a voter id and password). The applet sends the voter id to the authentication manger that responds sending the voter credential key container.
· The password is then used by the Voting Client for accessing the private key of the credential. This private key is used to authenticate the voter through the authentication manager (strong authentication). If the key is correct, the web browser will display the personalized ballot contents for all races assigned to the voter.
Voting options selection
The voter selects the voting options using the mouse, keyboard or any other pointing device.
When the voter has made his selections for all the races and is ready to cast the vote, the selected voting options are shown by the Voting Client for confirmation. If the voter confirms them, the vote is encrypted using the election public key. The encrypted vote is then digitally signed using the voter credential private key and sent to the Voting Server located in Manila. The Voting Server verifies if the vote is valid and stores it in the digital ballot box. A confirmation message is sent back to the voter.
During the encryption of the vote, a unique ballot identifier is randomly generated by the Voting Client. This identifier is also encrypted with the vote and therefore cannot be seen by anyone (with the exception of the voter) until the vote is decrypted by the Central Electoral Board during the Mixing process. This identifier, previously masked by cryptographic means, is sent jointly with the encrypted vote to the Voting Server. If the vote is accepted, the Voting Server digitally signs the masked identifier and returns it inside the confirmation message. The Voting Client uses the unique identifier and the digital signature of its mask to generate a voting receipt that can be printed by the voter. This receipt allows the voter to verify if the vote is present when the contents of the digital ballot box are decrypted by the Central Electoral Board. It is important to note that the receipt does not disclose the selected voting options to prevent the possibility of vote selling or voter coercion.
The voting process stops accepting votes at the time specified by the COMELEC (May 14th, 2007, at 15:00 Manila local time). Voters in the process of voting when this occurs (already logged in) will be granted the configured session duration time to complete the casting of their votes (this margin is configured during the pre-election configuration and is the same for all voters).
Mixing and Canvassing
After the election is automatically closed, the digital ballot boxes collected by all instances of the Voting Servers are exported and securely transferred to the Mixing Service. This service will be located at the COMELEC’s main offices in Manila.
The digital ballot boxes contain the digitally signed and encrypted votes. The entire digital ballot box file is also digitally signed to prevent the deletion of votes.
Once all the digital ballot boxes are transferred to the Mixing Service, the digital signature on each encrypted vote contained in the ballot boxes is checked to verify that it corresponds to a valid voter. Optionally, a Certificate Revocation List can be used to ensure that the voter credentials have not been revoked. After this process, the Central Electoral Board (or at least, the minimum pre-defined number of its members) must get together to reconstruct the election private key in order to initiate the Mixing Process. This Mixing Process is used to remove the digital signatures from the votes and break the correlation between the encrypted votes and the identity of the voters in order to protect voters’ privacy.
The output from this Mixing Process in the OAV Project is twofold: encrypted votes without digital signatures and the unique ballot identifiers of the voting receipts.
The encrypted votes obtained from the Mixing Process are placed in a server where the authorized Post officials can retrieve them using a web browser, a secure connection and a cryptographic key unique for each Post. Each Post can then proceed to count all the votes cast by OAVs in its country/region.
The votes cast by each voter will be printed by each Post. Each printed vote includes a serial number (to avoid the destruction of votes) and two bar codes: one to facilitate the tallying process and another consisting of a digital signature to proof that the hardcopy of the vote is valid.
The other output of this process is a list of questionable encrypted ballots (if any) which require further investigation in order to be accepted or rejected by the Central Electoral Board. An example of this category of ballots would be those that correspond to credentials that had been previously revoked.
The voting receipts obtained from the Mixing Process (as described above) are made publicly available through a website. Voters can then individually verify (if they wish) whether the unique ballot identifiers of their receipts are included in the list of published receipts. The ballot identifiers were randomly generated in the voters’ Voting Clients and, therefore, were only known to the voters. The presence of a ballot identifier on the list of published receipts means that the corresponding encrypted vote reached the Central Electoral Board.
In order to prevent voters from filing false claims using fake receipts, voters are required to present the digital signature provided as part of the receipts to proof the authenticity of the receipts.
The Internet voting platform to be used will include several features to facilitate the audit of the election before, during and after the electoral process:
· The source code can be reviewed by the COMELEC (or designed third party auditors) under a non-disclosure agreement.
· All the software components of the e-voting platform can be digitally signed for integrity and authentication purposes.
· The e-voting platform records logs of all voting transactions, and protects these logs using a special cryptographic mechanism to ensure its authenticity and integrity. Therefore independent auditors can check the accuracy of the logs before starting the audit process.
· The voter, as explained before, can individually check whether his vote was used in the final canvassing, without revealing his voting options.
· Any of the previous audit processes can be implemented without compromising the election accuracy and voters’ privacy.