Providing Trusted Paths Using Untrusted Components

1
Providing Trusted Paths Using Untrusted
Components

• Andre L. M. dos Santos
• Georgia Institute of Technology
• andre_at_cc.gatech.edu

2
Electronic Voting

• Assumptions
• There is a framework for electronic voting
• All the crypto is embedded in the framework.
• Smart cards, USB tokens, or any other portable
  tamper resistant device adds security to
  electronic voting.
• Problem
• Would a tamper proof smart card solve all
  problems of electronic voting?

3
Do You Know to Whom are you Voting ?
4
What is the problem?
I vote for John
Hommers Vote is for Bob

• The devices that are used for direct I/O with a
  human needs to be tamper proof.
• So, not only the card needs to be tamper proof .

• Or NOT ????

5
Hard AI Problems

• Informally, something that humans can do easily
  but computers can't.
• CAPTCHA -- Completely Automated Turing Test to
  Tell Computers and Humans Apart
• Generate random message, transform it, ask human
  to repeat it
• Transformation problem
• Subset of hard AI problems that transform a
  message
• Example distort text of message so that only
  humans can read it

6
KHAP Keyed Hard AI Problems

• A transformation problem that includes a shared
  secret key
• Instances generated with different keys are
  distinguishable
• Computers can't steal keys from messages
• Formalisms (tT(m,k) is (a, ß, ?, d, e, ?)-keyed
  transformation)
• the probability that a human can extract m from t
  is at least a
• the probability that a human with knowledge of k
  can correctly verify whether k was used to create
  t is at least ß
• there does not exist a computer program that runs
  in time ? such that the probability of the
  program extracting m from t is greater than ?
• there does not exist a computer program that runs
  in time ? such that the probability of the
  program extracting k from t is greater than d
• let A be a computer program that modifies t to
  include m ? m there does not exist an A that
  runs in time ? such that the probability of a
  human failing to detect the modification is
  greater than e

7
Protocol
8
3-D Keyed Transformation

• Render text and objects in a 3-D scene to 2-D
  image (raytrace)
• Randomize parameters (lighting, position,
  rotation, size, colors)
• Human can read text from 2-D image
• Key is appearance of objects
• Human looks for particular objects in scene
• Scene is hard to modify in a meaningful way
  (shadows, reflections, finding objects)
• Provide authenticity (presence of keys) and
  integrity (modifications can be detected by
  human)

9
E-Voting using 3-D Images
10
E-Voting using 3-D Images
11
Considerations

• How does a human confirm a message?
• Disconnect, or not, trusted platform
• When should you connect your platform?
• Confirmation word
• How does a low computing power device performs
  the transformation?
• Can use (semi) trusted servers connected using an
  anonymizing network
• Needs to worry about covert channels
• What is the best transformation?
• Others examples are speech and text.

12
Considerations

• Replays and Human Professors
• Time stamps
• Aging
• Spatial relationships
• Easy to guess keys
• Cute puppy dog!
• May be easier to avoid

13
Conclusions

• This is a general approach for interacting with
  trusted computers
• Many features of electronic voting systems help
  the use of this approach
• Easy to use
• Avoid computation, memory aids ask humans to do
  what they do best
• Some problems are intuitive (e.g., recognizing
  voice)