25
1 Electronic Voting Network Security Electronic Voting Network Security Edward Bigos George Duval D. Seth Hunter Katie Schroth
1Electronic Voting Network Security
Electronic Voting Network Security
Edward BigosGeorge DuvalD. Seth HunterKatie Schroth
Electronic Voting Network Security
2
Outline
• Introduction & Overview• Network Definition• Funding & Certification• Security Concerns• Recommendations• Conclusion
Electronic Voting Network Security
3
Introduction
• Election security is a historic concern– Decides who has power and control– Often a heavily distributed process– Ancient Greeks cast secret, fully-auditable ballots
• Several important components– Anonymity of votes– Authentication of voters– Integrity of votes– Result tampering– Result validation
Electronic Voting Network Security
4
Overview
• First nationwide attempt at electronic voting in 2004 Presidential Election– PC-based DRE Voting Machines and Central Tabulators
• Network security concerns exist at the Central Tabulators and their links to voting machines– Network capability just as important as actual usage
• Disclaimer: NOT a political argument– Election security in a modern context– Recent election chosen solely because it was the first large-
scale rollout of such technology
Electronic Voting Network Security
5
Network Definition
• ‘Legacy’ voting machines– Punch card readers– Optical scanners
• Direct Recording Electronic (DRE) machines– AccuVote-TS
• Central Tabulators– Diebold GEMS
• Network capabilities– Ethernet NIC– Dial-up modem – commonly used.– Occasionally, wireless NIC!– Little to no protection, and enabled by default.
6Electronic Voting Network Security
Funding And Certification of E-voting systems
Electronic Voting Network Security
7
Significance
• Need to determine How and Where the money comes from to upgrade the voting systems.
• Who and What establishes the Standard that the new machines are tested against
Electronic Voting Network Security
8
HAVA, NASED and the ITA
• Help America Vote Act (HAVA)– Formed from the Federal elections commission to funnel funds
to upgrade voting equipment
• National Association of State Election Directors (NASED) – Formed out of the Election Assistance Commission to help
standardize the evaluation of Equipment
• Independent Testing Authorities (ITA)– “Specialists” hired to test the HW and SW of the new Electronic
Voting Equipment.
Electronic Voting Network Security
9
Independent Testing AuthoritiesPot-holes in the system
• Wyle Labs were used for the HW testing– Left security to be tested by the manufacturer
• Ciber Inc Hired to test SW – Penetration and security tests “Not Applicable”
Electronic Voting Network Security
10
Integrity and Security Concerns
• Vote Integrity– Entry point Problems:
• Punch Cards, Optical Scanners and DREs
• Rogue Voting Machines– Vulnerable to malicious attacks like:
• Network Access, Authentication, Man-in-the-Middle, Desynchronization
• Eavesdropping– Line taps, Packet sniffing and Man-In-The-Middle
• Result Tampering
Electronic Voting Network Security
11
Hypothetical Tampering
• Tampering with out notice• Point of Entry : National Election Poll
– Assume a direct link to the Central Tabulators are accessible to NEP workers
• Gains Access to the network• Accesses the Database• Likely Suspects:
– NEP poll worker or a Technician familiar with the manufacturing of the voting equipment
12Electronic Voting Network Security
Security ofElectronic Voting
Electronic Voting Network Security
13
Notable Security Reviews
• Hopkins Report– Review of voting terminal security.
• SAIC Report– Management controls
• RABA Report– Actual security tests.
Electronic Voting Network Security
14
Hopkins Report
• In depth review of C++ source code left on an open Diebold FTP server.
• Suggested several potential attacks.• “cryptography, when used at all, is used
incorrectly”– Hard coded encryption key = F2654hD4.
Same since 1998 ! – “Even unsophisticated attackers can perform
‘untraceable’ man-in-the-middle attacks.”
Electronic Voting Network Security
15
Key Points from the Hopkins Report
• Key Management– a hard coded key:
• #define DESKEY ((des_key*)"F2654hD4")• Encryption
– implementation always uses zero for its IV. • DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data,
totalSize,• DESKEY, NULL, DES_ENCRYPT);
• Message Authentication– 16-bit CRC of the plaintext data is an un-keyed public function– CRC is stored with the Cipher text in the file and read whenever
its decrypted and verified.– Problem is that the cipher text shouldn’t be stored with the CRC
in an unencrypted form.
Electronic Voting Network Security
16
SAIC Report
• Management and policy, not a technical review. Commissioned by MD Governor Ehrlic.– Suggested the use of controls & “tamper tape”.
• “Dr Rubin did not have a complete understanding of Maryland’s implementation, process, controls and environment.”
• Conclusion: Systems at high risk, but risk could be mitigated by management controls.
Electronic Voting Network Security
17
RABA Report• Reviewed & critiqued the Hopkins & SAIC.
– Hopkins report substantially correct.– Agrees with the evaluation that the election
station software code quality is poor.• RED TEAM laboratory exercise.
– Used current Diebold source and actual AccuVote-TS hardware (January 2004).
– Poor security related to DES key (F2654hD4) and administrative password (1111) still unchanged in newest versions.
18Electronic Voting Network Security
Recommendations
Electronic Voting Network Security
19
Plug Most Severe Network Security Vulnerabilities
• DRE Voting Machines– Mandatory paper ballot receipts
• Ensuring that a proper recount can be conducted• Finding a compromised DRE does not mean lost votes
• Central Tabulators– Open Source Code
• Eliminating the need for ITAs • Ensuring secure software solutions
Electronic Voting Network Security
20
Policies & Regulations
• Audit Reform– Require a standard for recognizing the need for a
recount• Prohibit Direct Feeds into Central Tabulators
– Only as strong as the weakest link– Other network feeds increases vulnerability
Electronic Voting Network Security
21
Conclusions
• Defined the system components of the election network
• Discussed financing and certification• Explained network security concerns for the
system components• Suggested first steps to improving network
security
22Electronic Voting Network Security
Backup
Electronic Voting Network Security
23
Key Management
• Code snippet reveals a hard coded key:– #define DESKEY ((des_key*)"F2654hD4")[1]
[1] Kohno, Stubblefield, Rubin, Wallach. “Analysis of an Electronic Voting System.” IEEE Symposium on Security and Privacy 2004. IEEE Computer Society Press, May 2004.
Electronic Voting Network Security
24
Encryption
• Another code sample of the GEMS software source code shows that the implementation always uses zero for its IV. – DesCBCEncrypt((des_c_block*)tmp,
(des_c_block*)record.m_Data, totalSize,– DESKEY, NULL, DES_ENCRYPT);11
• A Null in the argument forces the DesCBCEncrypt to use all zeros.
• “strong” random numbers are required for each encryption of CBC mode.
Electronic Voting Network Security
25
Message Authentication
• 16-bit CRC of the plaintext data is an un-keyed public function
• CRC is stored with the Cipher text in the file and read whenever its decrypted and verified.
• Problem is that the cipher text shouldn’t be stored with the CRC in an unencrypted form.– Better to first encrypt the data to be stored and then to compute
a keyed cryptographic checksum of the cipher text. – The checksum could then be used to detect any tampering with
the plaintext. – Since each entry has a timestamp, it can be used to detect
reordering
