More Related Content
Similar to Skagestein cp hjune2010_static
Similar to Skagestein cp hjune2010_static (20)
More from Christian Wernberg-Tougaard
More from Christian Wernberg-Tougaard (20)
Skagestein cp hjune2010_static
- 1. Can we trust electronic voting?
Why e-voting can not be compared with Internet banking
Rådet for større IT-sikkerhet: E-valg i Danmark
Copenhagen June 17th 2010
Gerhard Skagestein, University of Oslo
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-1
- 2. When netbanking – why not e-voting?
$ V S DF K
RV SF
EL …
The identity of the netbank The identity of the voter behind a
customer is no secret ballot should be kept a secret
The netbank customer can verify The correct behaviour of an e-voting
the correct behaviour of the system is difficult to verify (but there
banking system by looking at the are some solutions)
account statement
The netbank customer worries The e-voter worries about his own
about his own bank account only ballot, but in addition also all the
other ballots
If something should be incorrect, If something should be proven to
the bank can easily fix it be incorrect, the election authorities
can probably not easily fix it
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-2
- 3. Why do we trust systems?
Either:
We observe that the system
input output
behaves as we expect it to do
(black box view)
Or:
The mechanisms in the system
are so simple that it is obvious
that it will work as we expect it
to do
(white box view)
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-3
- 4. What’s so special about computerised systems?
Immensely complicated
o handled by “divide and conquer”
Modularisation, layering
Components are used over and over again,
for a lot of different purposes
Easily modifiable
o Good for flexibility, but bad for trust
There is no such thing as a guaranteed safe and correct
computerised system (jf. Bruce Schneier: Secret and Lies)
… (but there is no such thing as a guaranteed safe and correct
non-computerised system, either)
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-4
- 5. Verifying the e-voting system – Black box
Some proposals
Before the election
o Verify the behaviour of the system by running artificial ballots
through the system
During the election
o Give the voter a confirmation that his ballot has arrived
unchanged in the electronic ballot box
o Introduce ballots from artificial voters and check that they arrive
in the electronic ballot box (those ballots will of course not be
counted)
After the election
o Compare the result of the election with the results of the
“exit poll” (valgdagsmåling)
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-5
- 6. Verifying the e-voting system – White box
Only black-box verification before the election is not sufficient,
because the system may be programmed to change behaviour later.
Inspecting the critical parts of the internal logic (white-box testing) is
necessary
To make white-box verification possible, the mechanisms of the
system must be accessible
o The programming code of the computerised system
o The operative procedures around the computerised system
Verifying the program code requires programming skills
o From layman to expert control
o Who should be the experts?
The system verified should be the system running
Verifying all modules (including for example the operating system) is
unrealistic. Instead, we must build on standardised modules!
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-6
- 7. An important regulation
The Legal, Operational and Technical Standards for E-voting
Recommendation Rec(2004)11 adopted by the Committee of
Ministers of the Council of Europe (the “Recommendation”) states:
I. Transparency
20. Member states shall take steps to ensure that voters
understand and have confidence in the e-voting system in use.
This means that the verification must be carried out
so that it can be observed in some way by the public,
or even performed by the public!
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-7
- 8. Vote casting alternatives
E-voting E-voting electronic
uncontrolled at home
Postal at home voting
environments – voting
early voting on Election Day
E-voting E-voting paper
Conventional Conventional
in election offices in polling station
controlled paper ballot – paper ballot on ballots
environments – early voting on Election Day
early voting Election Day
phase 1 phase 2
(early voting) (Election Day)
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-8
- 9. Vote casting alternatives
E-voting E-voting electronic
uncontrolled at home at home voting
environments – early voting on Election Day
E-voting E-voting
controlled in election offices in polling station
environments – early voting on Election Day
phase 1 phase 2
(early voting) (Election Day)
Which alternatives should be allowed
– and for which group of voters?
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-9
- 10. Identification and authentication of the voter
In an uncontrolled environment, the voter must identify himself
to the e-voting system
Identification and authentication of the voter may be done by a
generally available PKI-system (citizen identity card)
o cheaper that a special purpose election credential
o the voter will not be tempted to sell it
The e-ballot may be connected to the voters real identity,
or (safer?) to a derived pseudo-identity
But how do we separate the voters identity from his ballot?
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-10
- 11. The double envelope principle
Encrypted Digitally signed,
ballot encrypted ballot
Encrypting with Digital signing
Ballot the public key of with voter’s
election event private key
Received e-ballots
with digital signature Datanet
Verification of Decrypting the
voters digital ballots with the
signature private key of the
election event
Encrypted
anonymous
List of e-voters e-ballots e-ballots
to be marked in to be counted
the voter register
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-11
- 12. The double envelope principle…
…ensures (hopefully)
the secrecy and the authenticity of the vote
that the voters identity and the content of the ballot
can never be connected
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-12
- 13. The danger of compromising
the secrecy of the ballot
The double envelope file and the private key of
the election must NEVER meet!
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-13
- 14. Threats
Technical
o Falsifying votes by bogus software (especially on home computers)
o Compromising voters anonymity and secrecy of vote
o Denial of service attacks
o Technical breakdown
Social/democratic (in uncontrolled environments)
o Questionable anonymity and secrecy
o Bargaining votes
o Voting subject to coercion (“family voting”)
o Voting taken less seriously
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-14
- 15. Will I trust electronic voting?
Maybe…
University of Oslo, Department of informatics – © Gerhard Skagestein June 17th 2010 trusting e-voting-15