1 / 25

Electronic Voting Network Security

Electronic Voting Network Security. Edward Bigos George Duval D. Seth Hunter Katie Schroth. Outline. Introduction & Overview Network Definition Funding & Certification Security Concerns Recommendations Conclusion. Introduction. Election security is a historic concern

taro
Download Presentation

Electronic Voting Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Electronic Voting Network Security Edward Bigos George Duval D. Seth Hunter Katie Schroth

  2. Outline • Introduction & Overview • Network Definition • Funding & Certification • Security Concerns • Recommendations • Conclusion

  3. Introduction • Election security is a historic concern • Decides who has power and control • Often a heavily distributed process • Ancient Greeks cast secret, fully-auditable ballots • Several important components • Anonymity of votes • Authentication of voters • Integrity of votes • Result tampering • Result validation

  4. Overview • First nationwide attempt at electronic voting in 2004 Presidential Election • PC-based DRE Voting Machines and Central Tabulators • Network security concerns exist at the Central Tabulators and their links to voting machines • Network capability just as important as actual usage • Disclaimer: NOT a political argument • Election security in a modern context • Recent election chosen solely because it was the first large-scale rollout of such technology

  5. Network Definition • ‘Legacy’ voting machines • Punch card readers • Optical scanners • Direct Recording Electronic (DRE) machines • AccuVote-TS • Central Tabulators • Diebold GEMS • Network capabilities • Ethernet NIC • Dial-up modem – commonly used. • Occasionally, wireless NIC! • Little to no protection, and enabled by default.

  6. Funding And Certification of E-voting systems

  7. Significance • Need to determine How and Where the money comes from to upgrade the voting systems. • Who and What establishes the Standard that the new machines are tested against

  8. HAVA, NASED and the ITA • Help America Vote Act (HAVA) • Formed from the Federal elections commission to funnel funds to upgrade voting equipment • National Association of State Election Directors (NASED) • Formed out of the Election Assistance Commission to help standardize the evaluation of Equipment • Independent Testing Authorities (ITA) • “Specialists” hired to test the HW and SW of the new Electronic Voting Equipment.

  9. Independent Testing AuthoritiesPot-holes in the system • Wyle Labs were used for the HW testing • Left security to be tested by the manufacturer • Ciber Inc Hired to test SW • Penetration and security tests “Not Applicable”

  10. Integrity and Security Concerns • Vote Integrity • Entry point Problems: • Punch Cards, Optical Scanners and DREs • Rogue Voting Machines • Vulnerable to malicious attacks like: • Network Access, Authentication, Man-in-the-Middle, Desynchronization • Eavesdropping • Line taps, Packet sniffing and Man-In-The-Middle • Result Tampering

  11. Hypothetical Tampering • Tampering with out notice • Point of Entry : National Election Poll • Assume a direct link to the Central Tabulators are accessible to NEP workers • Gains Access to the network • Accesses the Database • Likely Suspects: • NEP poll worker or a Technician familiar with the manufacturing of the voting equipment

  12. Security ofElectronic Voting

  13. Notable Security Reviews • Hopkins Report • Review of voting terminal security. • SAIC Report • Management controls • RABA Report • Actual security tests.

  14. Hopkins Report • In depth review of C++ source code left on an open Diebold FTP server. • Suggested several potential attacks. • “cryptography, when used at all, is used incorrectly” • Hard coded encryption key = F2654hD4. Same since 1998 ! • “Even unsophisticated attackers can perform ‘untraceable’ man-in-the-middle attacks.”

  15. Key Points from the Hopkins Report • Key Management • a hard coded key: • #define DESKEY ((des_key*)"F2654hD4") • Encryption • implementation always uses zero for its IV. • DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data, totalSize, • DESKEY, NULL, DES_ENCRYPT); • Message Authentication • 16-bit CRC of the plaintext data is an un-keyed public function • CRC is stored with the Cipher text in the file and read whenever its decrypted and verified. • Problem is that the cipher text shouldn’t be stored with the CRC in an unencrypted form.

  16. SAIC Report • Management and policy, not a technical review. Commissioned by MD Governor Ehrlic. • Suggested the use of controls & “tamper tape”. • “Dr Rubin did not have a complete understanding of Maryland’s implementation, process, controls and environment.” • Conclusion: Systems at high risk, but risk could be mitigated by management controls.

  17. RABA Report • Reviewed & critiqued the Hopkins & SAIC. • Hopkins report substantially correct. • Agrees with the evaluation that the election station software code quality is poor. • RED TEAM laboratory exercise. • Used current Diebold source and actual AccuVote-TS hardware (January 2004). • Poor security related to DES key (F2654hD4) and administrative password (1111) still unchanged in newest versions.

  18. Recommendations

  19. Plug Most Severe Network Security Vulnerabilities • DRE Voting Machines • Mandatory paper ballot receipts • Ensuring that a proper recount can be conducted • Finding a compromised DRE does not mean lost votes • Central Tabulators • Open Source Code • Eliminating the need for ITAs • Ensuring secure software solutions

  20. Policies & Regulations • Audit Reform • Require a standard for recognizing the need for a recount • Prohibit Direct Feeds into Central Tabulators • Only as strong as the weakest link • Other network feeds increases vulnerability

  21. Conclusions • Defined the system components of the election network • Discussed financing and certification • Explained network security concerns for the system components • Suggested first steps to improving network security

  22. Backup

  23. Key Management • Code snippet reveals a hard coded key: • #define DESKEY ((des_key*)"F2654hD4")[1] [1] Kohno, Stubblefield, Rubin, Wallach. “Analysis of an Electronic Voting System.” IEEE Symposium on Security and Privacy 2004. IEEE Computer Society Press, May 2004.

  24. Encryption • Another code sample of the GEMS software source code shows that the implementation always uses zero for its IV. • DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data, totalSize, • DESKEY, NULL, DES_ENCRYPT);11 • A Null in the argument forces the DesCBCEncrypt to use all zeros. • “strong” random numbers are required for each encryption of CBC mode.

  25. Message Authentication • 16-bit CRC of the plaintext data is an un-keyed public function • CRC is stored with the Cipher text in the file and read whenever its decrypted and verified. • Problem is that the cipher text shouldn’t be stored with the CRC in an unencrypted form. • Better to first encrypt the data to be stored and then to compute a keyed cryptographic checksum of the cipher text. • The checksum could then be used to detect any tampering with the plaintext. • Since each entry has a timestamp, it can be used to detect reordering

More Related