Can we trust electronic voting?Why e-voting can not be compared with Internet banking          Rådet for større IT-sikkerh...
When netbanking – why not e-voting?       $                                                                               ...
Why do we trust systems?Either:We observe that the system                                                                 ...
What’s so special about computerised systems? Immensely complicated    o handled by “divide and conquer”         Modular...
Verifying the e-voting system – Black box               Some proposals Before the election     o Verify the behaviour of ...
Verifying the e-voting system – White box Only black-box verification before the election is not sufficient,  because the...
An important regulationThe Legal, Operational and Technical Standards for E-voting     Recommendation Rec(2004)11 adopted ...
Vote casting alternatives                             E-voting                               E-voting                     ...
Vote casting alternatives                            E-voting                                E-voting                     ...
Identification and authentication of the voter In an uncontrolled environment, the voter must identify himself   to the e...
The double envelope principle                                                         Encrypted                           ...
The double envelope principle……ensures (hopefully) the secrecy and the authenticity of the vote that the voters identity...
The danger of compromising            the secrecy of the ballot The double envelope file and the private key of  the elec...
Threats Technical    o Falsifying votes by bogus software (especially on home computers)    o Compromising voters anonymi...
Will I trust electronic voting?                              Maybe…   University of Oslo, Department of informatics – © Ge...
Upcoming SlideShare
Loading in …5
×

Skagestein cp hjune2010_static

239 views
174 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
239
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Skagestein cp hjune2010_static

  1. 1. Can we trust electronic voting?Why e-voting can not be compared with Internet banking Rådet for større IT-sikkerhet: E-valg i Danmark Copenhagen June 17th 2010 Gerhard Skagestein, University of Oslo University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-1
  2. 2. When netbanking – why not e-voting? $ V S DF K RV SF EL … The identity of the netbank  The identity of the voter behind a customer is no secret ballot should be kept a secret The netbank customer can verify  The correct behaviour of an e-voting the correct behaviour of the system is difficult to verify (but there banking system by looking at the are some solutions) account statement The netbank customer worries  The e-voter worries about his own about his own bank account only ballot, but in addition also all the other ballots If something should be incorrect,  If something should be proven to the bank can easily fix it be incorrect, the election authorities can probably not easily fix it University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-2
  3. 3. Why do we trust systems?Either:We observe that the system input outputbehaves as we expect it to do(black box view)Or:The mechanisms in the systemare so simple that it is obviousthat it will work as we expect itto do(white box view) University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-3
  4. 4. What’s so special about computerised systems? Immensely complicated o handled by “divide and conquer”  Modularisation, layering  Components are used over and over again, for a lot of different purposes Easily modifiable o Good for flexibility, but bad for trustThere is no such thing as a guaranteed safe and correct computerised system (jf. Bruce Schneier: Secret and Lies)… (but there is no such thing as a guaranteed safe and correct non-computerised system, either) University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-4
  5. 5. Verifying the e-voting system – Black box Some proposals Before the election o Verify the behaviour of the system by running artificial ballots through the system During the election o Give the voter a confirmation that his ballot has arrived unchanged in the electronic ballot box o Introduce ballots from artificial voters and check that they arrive in the electronic ballot box (those ballots will of course not be counted) After the election o Compare the result of the election with the results of the “exit poll” (valgdagsmåling) University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-5
  6. 6. Verifying the e-voting system – White box Only black-box verification before the election is not sufficient, because the system may be programmed to change behaviour later. Inspecting the critical parts of the internal logic (white-box testing) is necessary To make white-box verification possible, the mechanisms of the system must be accessible o The programming code of the computerised system o The operative procedures around the computerised system Verifying the program code requires programming skills o From layman to expert control o Who should be the experts? The system verified should be the system running Verifying all modules (including for example the operating system) is unrealistic. Instead, we must build on standardised modules! University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-6
  7. 7. An important regulationThe Legal, Operational and Technical Standards for E-voting Recommendation Rec(2004)11 adopted by the Committee of Ministers of the Council of Europe (the “Recommendation”) states:I. Transparency 20. Member states shall take steps to ensure that voters understand and have confidence in the e-voting system in use. This means that the verification must be carried out so that it can be observed in some way by the public, or even performed by the public! University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-7
  8. 8. Vote casting alternatives E-voting E-voting electronicuncontrolled at home Postal at home votingenvironments – voting early voting on Election Day E-voting E-voting paper Conventional Conventional in election offices in polling station controlled paper ballot – paper ballot on ballotsenvironments – early voting on Election Day early voting Election Day phase 1 phase 2 (early voting) (Election Day) University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-8
  9. 9. Vote casting alternatives E-voting E-voting electronicuncontrolled at home at home votingenvironments – early voting on Election Day E-voting E-voting controlled in election offices in polling stationenvironments – early voting on Election Day phase 1 phase 2 (early voting) (Election Day)Which alternatives should be allowed – and for which group of voters? University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-9
  10. 10. Identification and authentication of the voter In an uncontrolled environment, the voter must identify himself to the e-voting system Identification and authentication of the voter may be done by a generally available PKI-system (citizen identity card) o cheaper that a special purpose election credential o the voter will not be tempted to sell it The e-ballot may be connected to the voters real identity, or (safer?) to a derived pseudo-identity But how do we separate the voters identity from his ballot? University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-10
  11. 11. The double envelope principle Encrypted Digitally signed, ballot encrypted ballot Encrypting with Digital signing Ballot the public key of with voter’s election event private key Received e-ballotswith digital signature Datanet Verification of Decrypting the voters digital ballots with the signature private key of the election event Encrypted anonymous List of e-voters e-ballots e-ballots to be marked in to be counted the voter register University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-11
  12. 12. The double envelope principle……ensures (hopefully) the secrecy and the authenticity of the vote that the voters identity and the content of the ballot can never be connected University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-12
  13. 13. The danger of compromising the secrecy of the ballot The double envelope file and the private key of the election must NEVER meet! University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-13
  14. 14. Threats Technical o Falsifying votes by bogus software (especially on home computers) o Compromising voters anonymity and secrecy of vote o Denial of service attacks o Technical breakdown Social/democratic (in uncontrolled environments) o Questionable anonymity and secrecy o Bargaining votes o Voting subject to coercion (“family voting”) o Voting taken less seriously University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-14
  15. 15. Will I trust electronic voting? Maybe… University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-15

×