Electronic Voting Network Security

1
Electronic Voting Network Security

• Edward Bigos
• George Duval
• D. Seth Hunter
• Katie Schroth

2
Outline

• Introduction Overview
• Network Definition
• Funding Certification
• Security Concerns
• Recommendations
• Conclusion

3
Introduction

• Election security is a historic concern
• Decides who has power and control
• Often a heavily distributed process
• Ancient Greeks cast secret, fully-auditable
  ballots
• Several important components
• Anonymity of votes
• Authentication of voters
• Integrity of votes
• Result tampering
• Result validation

4
Overview

• First nationwide attempt at electronic voting in
  2004 Presidential Election
• PC-based DRE Voting Machines and Central
  Tabulators
• Network security concerns exist at the Central
  Tabulators and their links to voting machines
• Network capability just as important as actual
  usage
• Disclaimer NOT a political argument
• Election security in a modern context
• Recent election chosen solely because it was the
  first large-scale rollout of such technology

5
Network Definition

• Legacy voting machines
• Punch card readers
• Optical scanners
• Direct Recording Electronic (DRE) machines
• AccuVote-TS
• Central Tabulators
• Diebold GEMS
• Network capabilities
• Ethernet NIC
• Dial-up modem commonly used.
• Occasionally, wireless NIC!
• Little to no protection, and enabled by default.

6
Funding And Certification of E-voting systems
7
Significance

• Need to determine How and Where the money comes
  from to upgrade the voting systems.
• Who and What establishes the Standard that the
  new machines are tested against

8
HAVA, NASED and the ITA

• Help America Vote Act (HAVA)
• Formed from the Federal elections commission to
  funnel funds to upgrade voting equipment
• National Association of State Election Directors
  (NASED)
• Formed out of the Election Assistance Commission
  to help standardize the evaluation of Equipment
• Independent Testing Authorities (ITA)
• Specialists hired to test the HW and SW of the
  new Electronic Voting Equipment.

9
Independent Testing AuthoritiesPot-holes in the
system

• Wyle Labs were used for the HW testing
• Left security to be tested by the manufacturer
• Ciber Inc Hired to test SW
• Penetration and security tests Not Applicable

10
Integrity and Security Concerns

• Vote Integrity
• Entry point Problems
• Punch Cards, Optical Scanners and DREs
• Rogue Voting Machines
• Vulnerable to malicious attacks like
• Network Access, Authentication,
  Man-in-the-Middle, Desynchronization
• Eavesdropping
• Line taps, Packet sniffing and Man-In-The-Middle
• Result Tampering

11
Hypothetical Tampering

• Tampering with out notice
• Point of Entry National Election Poll
• Assume a direct link to the Central Tabulators
  are accessible to NEP workers
• Gains Access to the network
• Accesses the Database
• Likely Suspects
• NEP poll worker or a Technician familiar with the
  manufacturing of the voting equipment

12
Security ofElectronic Voting
13
Notable Security Reviews

• Hopkins Report
• Review of voting terminal security.
• SAIC Report
• Management controls
• RABA Report
• Actual security tests.

14
Hopkins Report

• In depth review of C source code left on an
  open Diebold FTP server.
• Suggested several potential attacks.
• cryptography, when used at all, is used
  incorrectly
• Hard coded encryption key F2654hD4. Same since
  1998 !
• Even unsophisticated attackers can perform
  untraceable man-in-the-middle attacks.

15
Key Points from the Hopkins Report

• Key Management
• a hard coded key
• define DESKEY ((des_key)"F2654hD4")
• Encryption
• implementation always uses zero for its IV.
• DesCBCEncrypt((des_c_block)tmp,
  (des_c_block)record.m_Data, totalSize,
• DESKEY, NULL, DES_ENCRYPT)
• Message Authentication
• 16-bit CRC of the plaintext data is an un-keyed
  public function
• CRC is stored with the Cipher text in the file
  and read whenever its decrypted and verified.
• Problem is that the cipher text shouldnt be
  stored with the CRC in an unencrypted form.

16
SAIC Report

• Management and policy, not a technical review.
  Commissioned by MD Governor Ehrlic.
• Suggested the use of controls tamper tape.
• Dr Rubin did not have a complete understanding
  of Marylands implementation, process, controls
  and environment.
• Conclusion Systems at high risk, but risk could
  be mitigated by management controls.

17
RABA Report

• Reviewed critiqued the Hopkins SAIC.
• Hopkins report substantially correct.
• Agrees with the evaluation that the election
  station software code quality is poor.
• RED TEAM laboratory exercise.
• Used current Diebold source and actual
  AccuVote-TS hardware (January 2004).
• Poor security related to DES key (F2654hD4) and
  administrative password (1111) still unchanged in
  newest versions.

18
Recommendations
19
Plug Most Severe Network Security Vulnerabilities

• DRE Voting Machines
• Mandatory paper ballot receipts
• Ensuring that a proper recount can be conducted
• Finding a compromised DRE does not mean lost
  votes
• Central Tabulators
• Open Source Code
• Eliminating the need for ITAs
• Ensuring secure software solutions

20
Policies Regulations

• Audit Reform
• Require a standard for recognizing the need for a
  recount
• Prohibit Direct Feeds into Central Tabulators
• Only as strong as the weakest link
• Other network feeds increases vulnerability

21
Conclusions

• Defined the system components of the election
  network
• Discussed financing and certification
• Explained network security concerns for the
  system components
• Suggested first steps to improving network
  security

22
Backup
23
Key Management

• Code snippet reveals a hard coded key
• define DESKEY ((des_key)"F2654hD4")1
• 1 Kohno, Stubblefield, Rubin, Wallach.
  Analysis of an Electronic Voting System. IEEE
  Symposium on Security and Privacy 2004. IEEE
  Computer Society Press, May 2004.

24
Encryption

• Another code sample of the GEMS software source
  code shows that the implementation always uses
  zero for its IV.
• DesCBCEncrypt((des_c_block)tmp,
  (des_c_block)record.m_Data, totalSize,
• DESKEY, NULL, DES_ENCRYPT)11
• A Null in the argument forces the DesCBCEncrypt
  to use all zeros.
• strong random numbers are required for each
  encryption of CBC mode.

25
Message Authentication

• 16-bit CRC of the plaintext data is an un-keyed
  public function
• CRC is stored with the Cipher text in the file
  and read whenever its decrypted and verified.
• Problem is that the cipher text shouldnt be
  stored with the CRC in an unencrypted form.
• Better to first encrypt the data to be stored and
  then to compute a keyed cryptographic checksum of
  the cipher text.
• The checksum could then be used to detect any
  tampering with the plaintext.
• Since each entry has a timestamp, it can be used
  to detect reordering