2.Security Aspects of Electronic Voting Systems

Published on January 2017 | Categories: Documents | Downloads: 42 | Comments: 0 | Views: 254
of 9
Download PDF   Embed   Report

Comments

Content

Security Aspects of Electronic Voting Systems
Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski
Ss Cyril and Methodius University
Faculty of Natural Sciences and Informatics
Institute of Informatics, Skopje, Macedonia
{[email protected], [email protected], [email protected]}

Abstract. An electronic voting (e-voting) system is a voting system in which
the election data is recorded, stored and processed primarily as digital
information. There are two types of e-voting: on-line, e.g. via Internet, and offline, by using a voting machine or an electronic polling booth. Security is the
main challenge of e-voting. This is the reason why designing a secure e-voting
system is very important. In many proposals, the security of the system relies
mainly on the black box voting machine. But, security of data, privacy of the
voters and the accuracy of the vote are also main aspects that have to be taken
into consideration when is building secure e-voting system. So, that is why in
this paper we discuss about the security aspects for e-voting systems. The focus
of this paper is on the data security. It means that cast ballot cannot be altered.
The electoral register used in the system does not contain names, but only
numeric identifiers. Also the electronic ballot box is sorted in a random way,
before being decrypted, which offers a protection of privacy of the voters.
Indeed, it might be possible to reconstruct the order of arrival of the electronic
ballots and break the vote anonymity by comparing this order with the date and
time of each vote.
Keywords: E-voting system, security, privacy, cryptography.

1

Introduction

Today we live in the era of modern communications and Internet, where almost
everything is accessible electronically. The rapid growth of number of computer
technology users, i.e., Internet users, brings the increasing need for electronic services
and their security. So, using the new technology in the voting process to improve our
elections is natural. This new technology refers to electronic voting systems where the
election data is recorded, stored and processed primarily as digital information [2].
In the past, usually, information security was used mostly in military and government
institutions. But, now need for this type of security is growing in everyday usage. In
computing, e-services and information security it is necessary to ensure that data,
communications or documents (electronic or physical) are enough secure and privacy

2

Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski

enabled. Advances in cryptographic techniques allow pretty good privacy on e-voting
systems.
Security is adjective, not a noun in e-voting process. This is the reason why designing
a secure e-voting system is very important. Usually, mechanisms that ensure the
security and privacy of an election can be time-consuming, expensive for election
administrators, and inconvenient for voters. It is important to mention that the system
has to be secured, but simple for usage, i.e., user-friendly and the voter must be sure
that his/her vote will be count [7].
There are different levels of e-voting security. Therefore serious measures must be
taken to keep it out of public domain. Also, security must be applied to hide votes
from publicity. However, there is no complete security, because everything that can
be secured can be unsecured. There is no measurement for acceptable security level,
because the level depends on type of the information. An acceptable security level is
always a compromise between usability and strength of security method [8].
It is very important to notice that if a system is not carefully designed then it will be
easy to manipulate the final ballots.
In this paper we will focused on the information security, which means that cast ballot
cannot be altered, the electoral register used in the system does not contain names but
only numeric identifiers and the electronic ballot box is sorted in a random way,
before being decrypted, which offers a protection of privacy of the voters.
In the beginning we give a brief introduction to the cryptographic primitives (secret
key, public key cryptography, hash functions and digital signatures). Next we give a
description and types of e-voting systems. In the last part of this paper the analysis of
security protocol of e-voting system is given. As the end we finished with our
conclusion about security and privacy of this system.

2

Cryptographic primitives

The most important and used things for supplying security of the e-voting system are
cryptographic primitives.
Cryptography is the science of information security. Also, it is said that cryptography
is the science of writing in secret code and is an ancient art [10]. The first documented
use of cryptography in writing dates back to circa 1900 B.C. when an Egyptian scribe
used non-standard hieroglyphs in an inscription. Some experts argue that
cryptography appeared spontaneously sometime after writing was invented, with
applications ranging from diplomatic missives to war-time battle plans. It is no
surprise, then, that new forms of cryptography came soon after the widespread
development of computer communications. In data and telecommunications,
cryptography is necessary when communicating over any untrusted medium, which
includes just about any network, particularly the Internet. Cryptography includes
techniques such as microdots, merging words with images, and other ways to hide
information in storage or transit.
Until modern times, cryptography referred almost exclusively to encryption which is
the process of converting ordinary information plaintext into unintelligible ciphertext.

Security Aspects of Electronic Voting Systems

3

Decryption is the reverse, in other words, returning the unintelligible ciphertext back
to plaintext. A cipher is a pair of algorithms which create the encryption and the
reversing decryption. The detailed operation of a cipher is controlled both by the
algorithm and in each instance by a key. This is a secret parameter (known only to the
communicants) for a specific message exchange context. Keys are important, as
ciphers without variable keys are trivially breakable and therefore less than useful for
most purposes. Historically, ciphers were often used directly for encryption or
decryption without additional procedures such as authentication or integrity checks.
Within the context of any application-to-application communication, there are some
specific security requirements, including [1]:
• Privacy/confidentiality: Ensuring that no one can read the message except
the intended receiver.
• Authentication: The process of proving one's identity. (The primary forms of
host-to-host authentication on the Internet today are name-based or addressbased, both of which are notoriously weak.)
• Integrity: Assuring the receiver that the received message has not been
altered in any way from the original.
• Non-repudiation: A mechanism to prove that the sender really sent this
message.
Cryptography, then, not only protects data from theft or alteration, but can also be
used for user authentication. There are, in general, three types of cryptographic
primitives typically used to accomplish these goals: secret key cryptography, publickey cryptography and hash functions, each of which is described below. In all cases,
the initial unencrypted data is referred to as plaintext. It is encrypted into ciphertext,
which will in turn (usually) be decrypted into usable plaintext. In all cases the benefit
of encryption is that the ciphertext does not have to be kept secret, it could be
broadcast over a satellite or published in a newspaper since only someone with the
correct key can read the message. Encryption has transformed the problem of keeping
lots of message secret into the problem of keeping a single key secret. A key is
relatively small and usually will be used for long periods of time.
2.1

Secret key cryptography

Secret key cryptography is an encryption scheme consisting of the sets of encryption
and decryption transformations {Ee ∈ K} and {Dd ∈ K}, respectively and K is the key
space. The encryption scheme is said to be symmetric-key if for each associated
encryption/decryption key pair (e,d), it is valid e=d (Fig. 1).

4

Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski

Fig. 1.: Two-party communication using secret key cryptography with a secure channel for key
exchange [1]

2.2

Public key cryptography

Let {Ee ∈ K} be a set of encryption transformations, and let {Dd ∈ K} be the set of
corresponding decryption transformations, where K is the key space. Consider any
pair of associated encryption/decryption transformations (Ee; Dd) and suppose that
each pair has the property that knowing Ee it is computationally infeasible, given a
random ciphertext c, to find the message m, such that Ee(m)=c. This property implies
that with given public key e it is infeasible to determine the corresponding secret key
d (Fig. 2).

Fig. 2.: Two-party communication using public key cryptography using unsecured channel for
key exchange [1]

Secret key and public key systems are often used together. The secret key method
provides the fastest decryption, and the public key method provides a convenient way
to transmit the secret key. This is called a "digital envelope."
Another nice property of private key method is the process known as digital signing.
Digital signature is used to verify the origin of the message of the sender. It is used to
resolve any authentication issues between sender and receiver. If sender encrypts a

Security Aspects of Electronic Voting Systems

5

message with his private key, the recipient of the message can decrypt it with sender’s
public key.
2.3

Hash Functions

Hash functions, also called message digests and one-way encryptions are algorithms
that, in some sense, use no key. Instead, a fixed-length hash value is computed based
upon the plaintext that makes it impossible for either the contents or length of the
plaintext to be recovered. Hash algorithms are typically used to provide a digital
fingerprint of a file's content, often used to ensure that the file has not been altered by
an intruder or virus. Hash functions are also commonly employed by many operating
systems to encrypt passwords, and provide a measure of the integrity of a file [10].
The most common cryptographic uses of hash functions are with digital signatures but
also for data integrity and in protocols involving a priori commitments. With digital
signatures, a long message is usually hashed and only the hash-value is signed. The
party receiving the message then hashes the received message, and verifies that the
received signature is correct for this hash-value.

3

Electronic voting systems

An electronic voting system is a voting system in which the election data is recorded,
stored and processed primarily as digital information [11]. E-voting is short for
“electronic voting” and refers to any voting process where an electronic means is used
for votes casting and results counting. Also e-voting is an election system that allows
a voter to record his or her secure and secret ballot electronically. A number of
electronic voting systems are used worldwide, from optical scanners which read
manually marked ballots to entirely electronic touch screen voting systems.
Specialized voting systems like DRE (direct recording electronic) voting systems,
punch cards, national IDs, the Internet, computer networks, and telephony systems are
also used in voting processes.
3.1

Types of e-voting systems

A computer system whose main element is software component that maps the voting
procedure electronically is called an e-voting system [13].
Today there are quite a lot of e-voting systems. All these systems we can separate into
two groups as follow: paper-based e-voting systems and DRE e-voting systems.
Paper-based e-voting system belongs to the group of electronic voting systems,
because a touch screen is used in voting process and counting is electronically using
optical-scan voting system. After the voter has finished casting his votes, the unit
prints out a hardcopy of the ballot which the voter has to pass to the election officer in
charge so that it can be counted in a centralized location. The ballots will then be
counted through optical-scan voting systems. This system has the advantage of a

6

Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski

paper trail as every person’s votes are recorded on a piece of paper. This tangibility
reassures voters that their choices are being counted. However, holes that are not
properly aligned in punch card or stray marks on an optical-scan card may lead to a
vote not being counted by the machine. Moreover, physical ballots can still be lost
during or after transit to the counting stations.
DRE stands for "Direct Recording Electronic" voting system. As the name suggests,
the voter directly enters the votes, which are recorded electronically. DRE machine is
a special case of such a system as it implements all steps of voting process, from
identification the identity of the voter and ballot casting to counting the votes and
producing a tabulation of the voting data.
Almost all touch screen voting machines are DREs, although there are other DREs
that have knobs or switches instead of touch screens. Voters view ballots on a screen
and make choices using an input device such as a set of buttons or a touch screen.
Many DRE devices also have the capacity to print a paper record of ballots cast, so
voter cast it in a traditional ballot box. This can help in the verification process of the
counting. Votes in DRE are stored on a memory card, compact discs or other memory
device. Election officials transport these memory devices to a centralized location for
tabulation, just as they would with paper-based ballots [3].
Also a DRE system can have many advantages over paper-based systems, like no
limitations on a ballot’s appearance, ballots in any language, fully accessible for
persons with disabilities. Since votes are recorded on a memory device, tabulation
takes less time. There are no paper ballots to scan, so there’s less risk of mechanical
error. While human error is still a factor and there is always a concern about software
bugs. In an ideal system, tabulation is instantaneous with no need for recounts.
3.2

E-voting process

When the voter enters the voting place, he must have same kind of valid identity
verification. When a poll worker confirms that the voter is registered, the voter is
found in the electoral lists, he/she gave a “smart-card” to the voter. A "smart-card" is
a card the size and shape of a credit-card which contains a computer chip, some
memory and basic data such as the voter's voting language and political party. The
voter than takes a smart card to a voting machine and inserts it into the machine to
allow him/her voting. Than the machine presents the ballot on the screen and waits for
the voter choice. After using the touch screen to vote, the record of the vote is directly
recording electronically to multiple, internal flash memory cards and the voter’s smart
card is reset to ensure that it can only be used to vote once. The smart card pops out of
the machine with a “loud” click and the voter returns it to a poll worker. When the
polls close, a poll worker or election official inserts a different-type of smart card, i.e.,
an administrator card, into each voting machine and puts the machine into a
postelection mode where it will no longer record votes. At this point, the machine
writes the votes from its internal memory to flash memory on a "PCMCIA card". A
printed tape of all votes cast or vote totals for the voting machine can also be printed
out at this time depending on local procedure and regulations.

Security Aspects of Electronic Voting Systems

7

The PCMCIA cards are taken out of each machine and either taken to a central
tabulation facility or to remote tabulation facilities. At the tabulation facility the votes
are read out of the PCMCIA cards and into a central computer database where
precincts are combined to result in an aggregate vote. For remote facilities, the votes
are transmitted to the central tabulation facility via a closed "Intranet", the Internet or
modem. The PCMCIA cards and any printouts from the voting machines can then
become part of the official record of the election.

4

Security of the e-voting systems

The main goal of a secure e-voting is to ensure the privacy of the voters and accuracy
of the votes. A secure e-voting system shall fulfill (at least) the following
requirements [4]:
• Eligibility: only votes of legitimate voters shall be taken into account;
• Unreusability: each voter shall only be able to cast one vote;
• Anonymity: all votes shall be secret;
• Accuracy: cast ballot cannot be altered. Moreover, it must not be possible to
delete ballots nor to add ballots once the election has been closed;
• Fairness: partial tabulation before the end of the election must be impossible;
• Vote and go: once a voter has cast his vote, there is no further action he
needs to take;
• Public verifiability: anyone should be able to readily check the validity of the
whole voting process.
Anonymity and secrecy of the vote are guaranteed by three measures:
1. The electronic ballot box, which contains the encrypted votes, is not linked
to the electoral register.
2. The electronic ballot box is sorted in a haphazard way before being
decrypted, which offers a protection against the misuse of log files. Indeed, it
might be possible to reconstruct the order of arrival of the electronic ballots
and break the vote anonymity by comparing this order with the date and time
of each vote.
3. The electoral register used in the system does not contain names but only
numeric identifiers. Accessing this register would not allow to know the
voters’ identities.
One of the differences between electronic voting and e-banking lays in the fact that, in
the former, it is impossible to give the voter a proof of his transaction. In e-banking as
in any other e-business transaction, the user can see the result of his action by
receiving the goods he ordered, or by seeing his account’s position. In the vote
procedure, giving a formal proof of the ballot content is contrary to the principle of
anonymity and secrecy of the vote. It is however possible to give a receipt for the
registered vote.
Our opinion is that unique formal proof for voter which can enabled him/her to be
sure that the vote will be count is to obtain printed ballot after he/she will cast the vote
on the e-voting machine. In all other cases voting will be unsecured and rules of
privacy of the voter and secrecy of the vote will be broken.

8

Hristina Mihajloska, Vesna Dimitrova and Ljupcho Antovski

We analyze one of the most popular cryptographic e-voting security software,
Pnyx.core which is developed by Scytl. It is a software module that implements a
cryptographic protocol especially developed to solve the problems of privacy and
security in e-voting systems.
A voter prepares a ballot, encrypts and signs the ballot, and finally sends the resulting
pair of ciphertext and signature to a voting server. The ballot is encrypted using the
public key of the mixing service, and the ballot is signed using the voter’s signing
key. At the end of the election, the mixing service verifies the signatures of all of the
votes, decrypts all of the ballots using the canvassing board private key, and then
stores the decrypted ballots in a random order. The resulting list of decrypted ballot is
signed using the canvassing board private key.
Because there is no public key infrastructure for all voters, each election requires the
generation of signature keys for each voter. Therefore, a key generation step, which
occurs on the Mixing Service before the election begins, generates random new keys
(and certificates) for all of the voters. The secret portion of the signature key is then
encrypted with a randomly chosen password. Finally this password is encrypted under
the encryption key of the poll workers.
This process results in three files: (a) one file consisting of secret signature keys
encrypted under a password, (b) one file consisting of corresponding passwords
encrypted under the poll worker keys, and (c) a file consisting of the public parts of
the signature keys. Part (a) is transferred manually to the Voting server, and (b) is
transferred manually to the Credential Provisioning Service, and (c) is made public (in
particular, transferred to the mixing server).
When the voter arrives at the polling place and has been confirmed as a voter, the poll
worker downloads the encrypted password for that voter from the Credential
Provisioning Service, decrypts it and stores it onto a smart card. The poll worker then
accompanies the voter to the voting laptop, inserts the smart card, and leaves. The
voting client then downloads the voter’s signing key from the Voting server and uses
the password on the smart card to decrypt the secret part of the signature key.
In order to distribute trust across many parties, the mixing service’s decryption key is
split into several parts and distributed to different canvassing board officials. During
the tally process, these officials need to enter their own parts of the key into the
mixing server to decrypt the ballots [6].
After analyzing this security protocol we conclude that this protocol has implemented
all of the requirements need for secure e-voting system. In technical sense, an idea of
Scytl to build this kind of system with quoted cryptographic primitives is interesting
and technically sophisticated.
We feel that there is a room for improvement [9]. The focus is on the randomness of
the generated numbers. It is very important that randomly generated signature keys
are implemented as well, because of the probability of a collision are much greater.
Also, it is important that the keys are generated in a truly random way. If for a group
of voters is possible to generate the same key for all of them, so it is still theoretically
possible some valid votes to be discarded by the centralized tabulating entity.
It is a good practice to use separate cryptographic key pairs for the processes of
encryption and signing.

Security Aspects of Electronic Voting Systems

9

The randomness used to shuffle votes by the mixing service should be
cryptographically very strong not to always rely on the use of embedded standard
library random number generator.

5

Conclusion

Electronic voting systems have many advantages over the traditional way of voting.
Some of these advantages are lesser cost, faster tabulation of results, improved
accessibility, greater accuracy, and lower risk of human and mechanical errors.
It is very difficult to design ideal e-voting system which can allow security and
privacy on the high level with no compromise. Something to which we will tend is to
design a system which can be easy to use and will provide security and privacy of
votes on acceptable level.
References
1. Alfred, J., Menezes, Paul, C., van, Oorschot, Scott, A., Vanstone: Handbook of applied
cryptography. CRC Press, October (1996)
2. Antovski, Lj. Ribarski, P., Mobile Voting: Overview of the Road from Paper to Mobile. In:
Proc. of the mLife 2009 Conference, ISBN 0-9763341-3-5, Barcelona (2009)
3. Bonsor, K., Strickland, J.:How e-voting works. In: http://www.howstuffworks.com
4. Canard, S., Sibert, H.: How to fit cryptographic e-voting into smart cards. In: Fundamental
Informaticae XXI, pp. 1001--1012. IOS Press (2001)
5. Chaum, David: Secret-Ballot Receipts: True Voter-Verifiable Elections. In: IEEE Security
and Privacy, vol. 2, no. 1, pp. 38—47, January (2004)
6. Clarkson, M., Hay, B., Inge, M., Shelat, A., Wagner, D., Yasinsac A.: Software Review and
Security Analysis of Scytl Remote Voting Software. September (2008)
7. Cranor, L., Cytron, R.: Design and implementation of a practical security-conscious
electronic polling system. Technical Report WUCS-96-02, Washington University (1996)
8. Dimitrova, V.: Security aspects for mobile communications. In: M.Gushev (ed.) Wireless
and Mobile Technologies, Institute of Informatics, Faculty of Natural Science and
Mathematics, pp 69—80, Skopje (2003)
9. Dimitrova, V., Markovski, J: On Quasigroup Pseudo Random Sequence Generators, In:
Proc. of the -st Balkan Conference in Informatics, pp.393 – 401,Thessaloniki, Greece (2003)
10.Gary., C., Kessler: An Overview of Cryptography. In: 1999 Edition of Handbook on Local
Area Networks. Auerbach, September (1998)
11.Gritzalis, D.:Secure Electronic Voting New trends, new threats… In: 7-th Computer
Security Incidents Response Teams Workshop, Syros, Greece, September (2002)
12.Information Security Laboratory http://islab.oregonstate.edu
13. Ondrisek, B.: E-Voting System Security Optimization. In: Proceedings of the 42nd Hawaii
International Conference on System Sciences (2009)

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close