Providing Trusted Paths Using Untrusted Components Andre L. M. dos Santos Georgia Institute of Technology firstname.lastname@example.org
Electronic Voting • Assumptions: • There is a framework for electronic voting • All the crypto is embedded in the framework. • Smart cards, USB tokens, or any other portable tamper resistant device adds security to electronic voting. • Problem: • Would a tamper proof smart card solve all problems of electronic voting?
What is the problem? I vote for John • The devices that are used for direct I/O with a human needs to be tamper proof. • So, not only the card needs to be tamper proof …. Hommer’s Vote is for Bob • Or NOT ????
Hard AI Problems • Informally, something that humans can do easily but computers can't. • CAPTCHA -- Completely Automated Turing Test to Tell Computers and Humans Apart • Generate random message, transform it, ask human to repeat it • Transformation problem: • Subset of hard AI problems that transform a message • Example: distort text of message so that only humans can read it
KHAP: Keyed Hard AI Problems • A transformation problem that includes a shared secret key • Instances generated with different keys are distinguishable • Computers can't steal keys from messages • Formalisms (t=T(m,k) is (α, β, γ, δ, ε, ζ)-keyed transformation) • the probability that a human can extract m from t is at least α • the probability that a human with knowledge of k can correctly verify whether k was used to create t is at least β • there does not exist a computer program that runs in time ζ such that the probability of the program extracting m from t is greater than γ • there does not exist a computer program that runs in time ζ such that the probability of the program extracting k from t is greater than δ • let A be a computer program that modifies t to include m’ ≠m; there does not exist an A that runs in time ζ such that the probability of a human failing to detect the modification is greater than ε
3-D Keyed Transformation • Render text and objects in a 3-D scene to 2-D image (raytrace) • Randomize parameters (lighting, position, rotation, size, colors) • Human can read text from 2-D image • Key is appearance of objects • Human looks for particular objects in scene • Scene is hard to modify in a meaningful way (shadows, reflections, finding objects) • Provide authenticity (presence of keys) and integrity (modifications can be detected by human)
Considerations • How does a human confirm a message? • Disconnect, or not, trusted platform • When should you connect your platform? • Confirmation word • How does a low computing power device performs the transformation? • Can use (semi) trusted servers connected using an anonymizing network • Needs to worry about covert channels • What is the best transformation? • Others examples are speech and text.
Considerations • Replays and Human Professors • Time stamps • Aging • Spatial relationships • Easy to guess keys • Cute puppy dog! • May be easier to avoid
Conclusions • This is a general approach for interacting with trusted computers • Many features of electronic voting systems help the use of this approach • Easy to use • Avoid computation, memory aids: ask humans to do what they do best • Some problems are intuitive (e.g., recognizing voice)