Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @...
Transcript of Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @...
![Page 1: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/1.jpg)
25/09/2017 - Page 1
Internet voting by CHvote
Lessons learnt and
future work
Direction générale des systèmes d'information
Département de la sécurité et de l'économie
![Page 2: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/2.jpg)
25/09/2017 - Page 2
Short Bio
• EPFL MSc in IT
• Master thesis @ CERN Computer Security Team
• IT / Java consultant
• Now
� Internet voting cryptography @ State of Geneva
� Java DEV & AppSec
• Outside from work
� OWASP-Geneva co-chapter leader
� Married, 2 kids
Thomas Hofer / @thhofer / [email protected]
![Page 3: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/3.jpg)
25/09/2017 - Page 3
Outline
Security properties & challenges
CHvote: history and evolution
Federal requirements
The future: protocol overview
Questions
![Page 4: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/4.jpg)
25/09/2017 - Page 4
Outline
Security properties & challenges
CHvote: history and evolution
Federal requirements
The future: protocol overview
Questions
![Page 5: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/5.jpg)
25/09/2017 - Page 5
Security propertiesTarget security properties
Vote secrecy Result integrity
No early tallyAvailability Voter authentication
Enfranchisement
![Page 6: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/6.jpg)
25/09/2017 - Page 6
Security challenges
• Vote secrecy vs. result integrity
� Cryptographically challenging (but feasible)
• Enfranchisement vs. authentication
� Typically opposed
� But: in CH, voting legitimation cards are sent to voters (Swiss Post is trusted)
� For mail-in ballots / polling station voting:
− Voting card + signature + DOB
� For internet voting:
− Secrets printed on voting card + DOB
Partially contradicting requirements and other challenges
![Page 7: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/7.jpg)
25/09/2017 - Page 7
Security challenges
• Availability
� OK, but… DDOS??
� Standard technical counter-measures
� Internet voting closes 24 hours before polling stations
Partially contradicting requirements and other challenges (ctd.)
![Page 8: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/8.jpg)
25/09/2017 - Page 8
Outline
Security properties & challenges
CHvote: history and evolution
Federal requirements
The future: protocol overview
Questions
![Page 9: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/9.jpg)
25/09/2017 - Page 9
HistoryFirst generation E-Voting system
• 2001: start of project
• 2003: first use
![Page 10: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/10.jpg)
25/09/2017 - Page 10
HistoryFirst generation E-Voting system
• 2009: Basel Stadt
• 2010: Lucern & Bern
![Page 11: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/11.jpg)
25/09/2017 - Page 11
HistoryUpdated UI
![Page 12: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/12.jpg)
25/09/2017 - Page 12
History
• Academic partnerships
• New partner cantons
• Opensource and publications
New partnerships and future outlook
![Page 13: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/13.jpg)
25/09/2017 - Page 13
Evolution
• Introduced early on
• Additional security layer
� Encryption and integrity verification
� "Backup" in case of SSL breach
• But
� Requires Java on client terminals (and enabled in the browser!)
� Prevalent in support requests
� Costly in tests (compatibility matrix, jre version, browsers,…)
� Delivered over SSL
� Imperfect (cf. Nuit du Hack 2013)
The birth and death of a Java Applet
![Page 14: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/14.jpg)
25/09/2017 - Page 14
Evolution
• Removed in 2015
• Individual verifiability
� "Better" vote integrity verification
The birth and death of a Java Applet
![Page 15: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/15.jpg)
25/09/2017 - Page 15
Evolution
• Threats made around an important vote
� Daily semi-manual log audits during the voting phase
• Immensely time-consuming
� No credible threats detected
• Later replaced by in-house specific log auditing tool
• Now using standard SIEM tools, tailored for our needs
Log audits and system monitoring
![Page 16: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/16.jpg)
25/09/2017 - Page 16
Lessons learnt
• Use standards (when applicable)
� More efficient, better understood
� Ex.
− Splunk vs home made log analyzer
• Do not roll your own applet (or any applet!)
� Even more critical for security features
"Do not reinvent the wheel!"
![Page 17: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/17.jpg)
25/09/2017 - Page 17
Lessons learnt
• Regular audits are mandatory (by law)
� Every 3 years, results are public
� But insufficient…
• Partnerships with external consulting firms
� Several short-term contracts between 2010 and 2011
� Stable long term contracts since 2011
� Led to improved quality
− Design reviews before implementation
− Implementation reviews before use for sensitive changes
Partnerships
![Page 18: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/18.jpg)
25/09/2017 - Page 18
Lessons learnt
• Ethical and idealistic motivations
� Democratic processes should be owned by the people…
• TEDx talk by Geneva Chancellor A. Wyden Guelpa
� “How can we heal democracy?”
� https://www.youtube.com/watch?v=K7gpxZ3FO3s
• But also….
Partnerships 2.0 – Transparency and open source
![Page 19: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/19.jpg)
25/09/2017 - Page 19
Lessons learnt
• We're better together than alone!
� Already a vulnerability identified and fixed on the protocol
− Before it's even live!
• More interesting for academic partners
� Open-source means better visibility
• Additional argument for recruitment
� Better visibility / CV-boost for developers
Partnerships 2.0 – Transparency and open source
![Page 20: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/20.jpg)
25/09/2017 - Page 20
Outline
Security properties & challenges
CHvote: history and evolution
Federal requirements
The future: protocol overview
Questions
![Page 21: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/21.jpg)
25/09/2017 - Page 21
Federal requirements
• Published in 2013, enacted 2014
� Collaborative work between lawmakers, academia and operating staff
• Compliance levels
� The higher the compliance, the more voters allowed
• Reference
� https://www.bk.admin.ch/themen/pore/evoting/07979/index.html
New Ordinance on Electronic Voting
![Page 22: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/22.jpg)
25/09/2017 - Page 22
Federal requirementsIndividual Verifiability
Voters must receive proof that the server system has registered the vote as it
was entered by the voter on the user platform – VEleS, art. 4
![Page 23: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/23.jpg)
25/09/2017 - Page 23
Federal requirementsEnd-to-End Encryption
Votes must not be stored or transmitted in unencrypted form at any time from
being entered to tallying. – Technical and administrative requirements, section
3.3.4
![Page 24: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/24.jpg)
25/09/2017 - Page 24
Federal requirementsUniversal Verifiability
For universal verification, the auditors receive proof that the result has been
ascertained correctly. They must evaluate the proof in a observable procedure.
– VEleS, art. 5 paragraph 4
![Page 25: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/25.jpg)
25/09/2017 - Page 25
Federal requirementsControl Components
The trustworthy part of the system includes either one or a small number of
groups of independent components secured by special measures (control
components). Their use must also make any abuse recognisable if per group
only one of the control components works correctly and in particular is not
manipulated unnoticed. – VEleS, art. 5, par. 6
![Page 26: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/26.jpg)
25/09/2017 - Page 26
Federal requirements
• First level
� Internet voting for up to 30% of voters
• Second level
� Add individual verifiability
� Add certifying audit
� Internet voting for up to 50% of voters
• Third level
� Add universal verifiability, control components and end-to-end encryption
� New certifying audit
� Internet voting for up to 100% of voters
Compliance levels
![Page 27: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/27.jpg)
25/09/2017 - Page 27
Outline
Security properties & challenges
CHvote: history and evolution
Federal requirements
The future: protocol overview
Questions
![Page 28: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/28.jpg)
25/09/2017 - Page 28
Protocol actorsStakeholders from the perspective of the cryptographic protocol
Election officer Control
components
Bulletin Board
Voting client VoterPrinting
Authorities
![Page 29: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/29.jpg)
25/09/2017 - Page 29
Key cryptographic primitives
• El Gamal homomorphic encryption
• Oblivious Transfer for individual verifiability
� Cast-as-Intended Verification in Electronic Elections Based on Oblivious Transfer
• Pedersen Commitments
• Non-interactive Zero-Knowledge Proofs (ZKP)
• Wikström’s Proof of a Shuffle
A brief overview
![Page 30: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/30.jpg)
25/09/2017 - Page 30
Homomorphic encryption
• Principles
� Operations performed on cipher texts
� Result visible on recovered plain texts
� Example:
− Encrypt 2
− Multiply cipher text by 3
− Decrypt
− Result is 6
• For this project: El Gamal encryption
What is it?
![Page 31: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/31.jpg)
25/09/2017 - Page 31
Homomorphic encryption
• Used for voter credentials
� Voter authentication
• Used for encrypting the ballots
� Vote secrecy
• Allows re-encryptions
� Useful for anonymizing when shuffling
� Vote secrecy
• Allows for key sharing
� Control components each hold a key share
� Vote secrecy & result integrity
How and why?
![Page 32: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/32.jpg)
25/09/2017 - Page 32
Oblivious Transfer
• In short
� Server knows n secret messages
� Client allowed to retrieve k secret messages
� Server cannot know which messages the client asked for
� Perfect match for the verification codes issue!
� Vote secrecy & Result integrity
• In detail
� Cast-as-Intended Verification in Electronic Elections Based on Oblivious Transfer
What does it mean and why is it useful?
![Page 33: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/33.jpg)
25/09/2017 - Page 33
Commitments and ZKPs
• “public” commitments for the secrets
� Share a value computed from secret, without leaking info
• ZKPs relative to those commitments
� Prove that
− Secret value used in computation =
secret value used for commitment
� Chain of truth from key generation to ballot decryption
• Combination yields Universal verifiability
� Result integrity
How and why?
![Page 34: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/34.jpg)
25/09/2017 - Page 34
Wikström’s Proof of a Shuffle
• Re-encrypting mix-net
� Each component re-encrypts each ballot and shuffles them
• Since shuffled, simple pre-image proofs would not work
• Since re-encrypted, ciphertexts are not equal
� Vote secrecy
• Need for a specific proof that the cryptographic shuffle is
valid
� Result integrity
Why?
![Page 35: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/35.jpg)
25/09/2017 - Page 35
Outline
Security properties & challenges
CHvote: history and evolution
Federal requirements
The future: protocol overview
Questions
![Page 36: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/36.jpg)
25/09/2017 - Page 36
![Page 37: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/37.jpg)
25/09/2017 - Page 37
Further reading
• Published protocol specification
� https://eprint.iacr.org/2017/325
• Published PoC code
� https://github.com/republique-et-canton-de-geneve/chvote-protocol-poc
• Federal requirements
� https://www.bk.admin.ch/themen/pore/evoting/07979/index.html
And references
![Page 38: Internet voting by CHvote...25/09/2017 - Page 2 Short Bio • EPFL MSc in IT • Master thesis @ CERN Computer Security Team • IT / Java consultant • Now Internet voting cryptography](https://reader033.fdocuments.fr/reader033/viewer/2022052009/601edce52e25720aa17bb985/html5/thumbnails/38.jpg)
25/09/2017 - Page 38
Thank you!
Direction générale des systèmes d'information
Département de la sécurité et de l'économie
Thomas Hofer [email protected] @thhofer