Internet Voting


#41

In Java, the method that Glenn describes is called “code signing”, and it works much the same way that your browser does when it prevents MitM attacks when it goes to an https (TSL secured) site: It uses a PKI certificate to prove that the program was not tampered with.

1.) The developer creates a private key - public key pair, and sends it to a “certificate authority” to sign.
2.) The certificate authority then adds their public key to it, signs it with their private key, and sends that back to the developer.
3.) The developer adds this signed set of public keys to their release project, computes the checksum, and then signs that with their private key.
4.) in order to run the software on a computer, a system administrator has to add the certificate authority’s public key into the “trusted certificate authorities” store.

So now when someone tries to run the program on their computer, the java plugin will:
1.) check if the certificate authority is in the trusted authority store. if not, it won’t run the program.
2.) check if the certificate authorities’ signature is valid - it does this by decrypting the signature with the public key and checking if it matches the checksum. if it’s not valid, then it’s a forgery. it won’t run the program.
3.) check if the developer’s signature is valid - it does this by decrypting the signature with the public key and checking if it matches the checksum. if it’s not valid, then it’s a forgery. it won’t run the program.
4.) check if the stored checksum matches the computed checksum. if it doesn’t match, then the program has been tampered with. it won’t run the program.

In addition to that, it does a number of other checks. But that’s the main part, IMO.

For more information, you can read up on “code signing certificates”.


#42

In reading back through this thread, I’m coming to the conclusion that I’m trying to bite off FAR too much at one time.
I think it would be best to concentrate on making the online election software WITHOUT trying to also institute Public election funding at the same time. I think I’ll remove the public election stuff and save that for another day.

With that in mind, it seems like a couple points have been addressed as highly likely to be achievable…

  1. Fake and Real passwords seem to be able to defeat both Coercion and Vote selling although it would be difficult to implement. The reason I’m not yet willing to let go of the concept is that it provides a means for producing a paper receipt, which SOOO many people are still absolutely insisting to be an essential feature. And I agree that a receipt is essential in the beginning, just to check the system and to help people feel like their vote has something of actual physical substance to it instead of just casting it out into the digital “voting box” where it disappears from sight - just like we do now.
  2. Code signing seem to make it possible to have an authenticated download of the ISO that can also check it’s own authenticity every time it boots up. So that seems possible.
  3. Vote by mail is indeed working great here in Oregon and I read that we are rated as the easiest state to vote in. While it is claimed that the USPS loses 2% of the mail, which sounds like a significant number for an election, I think part of that number should be attributed to indistinguishable handwritten addresses. The fact that our ballot envelopes have a VERY distinct look and no need to read the address because every postal worker in the state knows where that type of envelope needs to go, probably contributes to a far lower loss rate for that particular type of mail. The point being that ease of voting increases participation, as does the feeling that the system functions properly and without any hacking.

I was thinking this same thing a couple days ago. I’m no blockchain expert but it seems like it should be possible to create a blockchain wallet which acts as a voter registration “identity.” Blockchain wallets definitely create a unique number which could serve as a registration number, but would there be any use for a QR code in this system? If a QR code were created in a registration process, could that be used as a generic form of personal ID for voting and all other ID needs? Once you register in person with your facial photo, your fingerprints, birth certificate, etc, would there be a positive function to having all that individual ID info encrypted into the same thing as a Bitcoin wallet? You could use your phone to pull up the QR code to your personal registration and use it as a bank card, voter Id, school registration, driver’s license etc. Could that become a more secure form of personal ID or would it create more problems than it solved?

Just today I discovered “Follow My Vote” which is a strange name but it’s almost the same concept as OpenVote.World except that it does not use a Live Operating system and I can’t tell for sure, but it seems like the whole project got shelved. However, they did create a really nice Open Source code for the actual voting software.


You can see a video of how it works here… https://followmyvote.com/code-contributors/

If anyone knows how to do this, I think it would be a great experiment to install this software into a TAILS disk and see if it can be made to work as a rough draft sort of LIVE operating system.
Then we could start adding pieces to the puzzle - like code signing.


#43

If the software is checking itself, then you cannot trust that the check routine will not also be corrupted. You cannot trust that it is actually computing the SHA512 of its own code and not just pretending to and spitting out the answer that matches the SHA512 of the correct code.

You cannot trust any code that you did not write absolutely on your own.


#44

Thanks. I do appreciate your attention to this. And of course I appreciate your real-world experience.

It would be nice if you could mix in a little bit of creative problem solving at the same time because, while I do appreciate your ability to see when things WON’T work, the most helpful thing you could do would be to tell me how it COULD be made to work.

With that in mind… Ok so you can’t have the program check itself.
I think we COULD make a set of boxes open up at the top of the software and have each of the checksum numbers automatically populate the boxes. Then there could either be a secondary bit of software that sets off an alarm when the two don’t match, or the User could be told to only use the software if the two numbers match.

Would something like that work?


#45

To be clear, the verification-on-boot is done by the plugin software; the java runtime environment. So you’d have to make sure that isn’t compromised.

I’m leaning towards a browser-based system - where the business logic and security and validation is on the server side. And there’s education to the voter about how to make sure they’re on the right site. Like http://forkdelta.app has.

QR codes:
Yes a blockchain account can use a QR code for signing. They already do this for bitcoin ATM machines.

Identity storage:
I’m thinking it would work much like a bank does: they validate your identify, and store the records (photo, etc.). And they sign off that it’s been validated, so it’s on them. In this scenario they’d actually digitally (cryptographically) sign. so they’d act as an “intermediate certificate authority” for identity verification.

So it’s kind of like website identities are confirmed in https, except instead of websites, its people.

The PolyMath blockchain start up is very focused on the identity part - satisfying KYC/AML (know your customer anti-money laundering) legal requirements. IMO, these are all essentially the same problem (bank account registration/polymath/https/voter registration)


#46

the program isn’t checking itself. in the specific example i gave, the java runtime environment, written by Oracle, is doing the checking. This has to be installed by a system admin and the presumption is that they are knowledgeable enough and responsible enough to confirm the authenticity of the source of the download, and in any case they are accountable.


#47

Again, that’s assuming that the Live disk/USB that you’re using is an uncorrupted version, rather than a replacement. Unless you create it yourself, based on code you examined yourself, how do you know that it’s the right program?

Hell, I imagine that the easiest way to do this would be to create a Live program that is the real code, with just an overlay, so that the malware is working on the physical machine, and the legit Live code is working on the virtual machine the malware creates, the MITM happening in that hand-off.

And yes, it’s pretty clear that this would be limited to physical attacks, but a physical attack at an internet cafe, or at a Library, or by handing out pre-burnt CD’s/USB at Universities or through “Known Good” organizations (such as LWV, etc) could make meaningful impacts on elections…


#48

That’s one of the reasons I’m leaning towards browser-based, with validation and security done server side, and transactions visible on a blockchain, with a closed set of validators (polling places, watchdog groups). Then you have to educate the voters on basic computer security - such as checking for https:, checking the url, and heeding certificate warnings / errors.


#49

Ok, so I’m no software guy, but isn’t that the purpose of Open Source? Can you still not trust even Open Source? I saw yesterday that there was an opening discovered at Github, so maybe we would have the code posted there for review and bug hunting, but then have the actual production version of the software living on a completely disconnected computer, or on a distributed system like maybe even it’s own blockchain. Can you store software in a blockchain?

I would like to request that we limit this discussion to defeating threats that could be used in a mass attack. The possibility of an Internet Cafe or a library handing out fake CD’s is Super Low when you consdider that it would be a felony to do that.

How would you keep the same checksum if you added the code for this layer system you’re talking about?
And if you’re talking about using a Live system within a virtual box, wouldn’t you have to boot into something other than Our LIVE disk first in order to get that to work?
I don’t see how that could work if you boot straight to a Live operating system on a read only disk that compares the original checksum to the checksum of the currently running version.

So… is there no need for a LIVE operating system? It sounds like you are recommending using a regular operating system and a regular Internet connection, and a regular browser, which creates all the regular opportunities for hacking.
If you have some reason for thinking that a LIVE operating system is not a requirement for security, please try to explain it to me or send me a link or something.
What you seem to be saying is that this whole thing I’m working on is a mute point.

Please explain.


#50

Blockchains such as ethereum and eos can not only store code, but also RUN it. These are called “smart contracts”.

The so-called “physical layer” is an essential part of computer security. Indeed, the OSI model explicitly includes it.

Computer security is a broad and highly branching topic, and while this may seem daunting, it’s important to cover it exhaustively. So called “side channel attacks” can not only cripple the most well protected security, but they are indeed the most common way security is crippled.

I am reminded of a Tiger Team that was hired in the 60’s to test the NSA’s security. They fished a memo out of the NSA’s trash, copied the letter head, and write on it: critical security update. please install. on top of the memo was a floppy disk containing an exploit.

it worked. in no time at all the tiger team had root access.

I think the live is might be the best approach. and that the regular os might be better, among other reasons because there is a much larger community and infrastructure to protect it.

Generally speaking, “security through obscurity” is frowned upon as a weak method.


#51

If you mean that a Live OS is “obscure” then I can certainly get the joke, but I think only a programmer might appreciate the humor while all the “rest” of us might be more appreciating the old addage, KISS.
or “Simple is beautiful”
The LIVE system seems to allow for the fewest possible variables and every variable is a weakness.
So maybe the weak method should be seen as the one with the most holes in it.

If we can cut this thing down to the bare bones and the seal it on a read-only media… that sounds pretty elegant to me.

I hadn’t heard of the Tiger Team story but I have heard of the Iraq centrifuge program that we hacked just by dropping a bunch of USB sticks all over the place outside the building and eventually somebody got curious.

All the more reason to keep the production version of the code on a disconnected machine with limited access. Like most PEN testing, a low key physical breach is often the only way in the door.


#52

In other end-to-end verifiable systems, to prevent the voting machine (software) from “cheating”, a voter auditing procedure is used. But it requires at least an encrypted version of the vote being publicly available, which, if you’re not careful, can enable vote buying and coercion. Existing systems manage it using a secret ballot.

Secret code words don’t help. But they don’t help even if you know the software is trustworthy anyway.

This is how it works: The voter uses the software to fill out a ballot. The software then displays what the encrypted ballot would be if it were cast. At that point—an not any earlier—the voter can chose to either cast the ballot, or to audit the software. If they choose to audit the software, that ballot cannot be cast. The machine reveals information that can be used to prove that the encrypted vote really was what the voter voted for. This can be repeated as many times as the voter wants, filling in the ballot in any way they want, until they are satisfied that the software is not cheating. Then they can choose to cast their ballot, where a copy of their encrypted ballot is posted, and they have their own copy. Finally, they check to make sure that their ballot really does appear on the blockchain.

If your software were compromised, you could detect it, either by the software being unable to prove that the encrypted ballot was correct, or by you not being able to find your ballot on the blockchain.

However, even besides issues with vote buying and coercion, I do see issues with this approach for online voting. One is that a voter could falsely claim to be the victim of fraud. With a secret ballot, a voter could receive proof that they did actually vote, so their claims of fraud can be verified. I don’t think that’s possible with online voting.

But a bigger issue is about how the software would be able to prove that an encryption is correct. Normally this is done using a quirk of encryption that doesn’t require decryption, but could still potentially be abused (let me know if you want more details). It’s one of my biggest reservations with end-to-end systems even using a secret ballot, and I think it makes this auditing procedure completely useless for online voting.


#53

What RWX? I got this from the answer to puzzle 41 on WDS’s voting puzzle page.

Then the boxes could be corrupted. I could just make it so it displays the numbers that correspond to correct software and only pretend to compute its own checksum.

You would have to have a checksum software that is completely outside of the voting software.

Hi. I am totally an honest person handing you a totally legit copy of the open source software, and of course I am not just pretending this CD is the actual software when it is actually malware designed to not count your vote.


#54

Sounds like you’ve done a lot of homework and thinking on this.

Do you have a solution in mind?

If not, do you think this makes the whole project grind to a halt, or do you think these issues are surmountable in the near future?


#55

First, please set aside the idea of the small-time coffee shop owner that passed out corrupt CD’s and maybe stole a couple hundred votes, because a couple guys like that would end up in the Federal penitentiary and then others would think twice. Small time voter fraud is the concern of the law - not us.

AND… if that’s the worst thing that happens we should congratulate ourselves for the fact that MILLIONS of votes were not stolen as they are being stolen in our elections now.

I’d take a coffee shop fiasco over a massively rigged election any day.

This is like the old argument for gun control where you say nobody should have guns because somebody will certainly abuse the right. Sure it happens… then they go to jail.

I think we have to push on with the concept that will do the most benefit and let the police deal with the abusers.

I notice your suggestion for a checksum software that is completely outside the Election Operating System. Could that really work? And if so, what would that look like?


#56

Oh, like the 537 votes that Bush won by? Every vote matters.


#57

Bush didn’t win.

He didn’t just lose the popular vote, he got less votes in Florida. He lost the election.

The only reason why he won the presidency is because the US supreme court stopped the recount in Florida, a recount that Gore won.