Static Validation of a Voting ProtocolSlide 1 Static Validation of a Voting Protocol Christoffer Rosenkilde Nielsen with Esben Heltoft Andersen and Hanne.

Slides:

Advertisements

Similar presentations

Administrative Procedures for Provisional Voting Amy Strange NC State Board of Elections March 14, 2006.

Advertisements

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Analysis of an Internet Voting Protocol Dale Neal Garrett Smith.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

GSM BASED VOTING MACHINE Project Guide: Mr. Gulshan Dubey Lecturer ECE Department Project Team: Himanshu Rewal Vikas Anand Abhishek Bose Sunil Kumar Vikas.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.

A Pairing-Based Blind Signature

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Apr 9, 2002Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication The second assignment.

Ronald L. Rivest MIT Laboratory for Computer Science

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Cryptographic Technologies

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

Cryptographic Security Cryptographic Mechanisms 1Mesbah Islam– Operating Systems.

Author: Michał Rajkowski Tutor: prof. dr hab. inż. Zbigniew Kotulski.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of.

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.

KYUSHUUNIVERSITYKYUSHUUNIVERSITY SAKURAILABORATORYSAKURAILABORATORY Sakurai Lab. Kyushu University Dr-course HER, Yong-Sork E-voting VS. E-auction.

Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012.

Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

1 The Evolution of Internet Voting By Ka Ling Cheung.

Cryptography, Authentication and Digital Signatures

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Códigos y Criptografía Francisco Rodríguez Henríquez Security Attacks: Active and Passive Active Masquerade (impersonation) Replay Modification of message.

6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.

Andreas Steffen, , LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.

Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.

Chapter 6:Esoteric Protocols Dulal C Kar. Secure Elections Ideal voting protocol has at least following six properties 1.Only authorized voters can vote.

Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.

1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.

1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Chapter 4 Using Encryption in Cryptographic Protocols & Practices (Part B)

WP6: Static Analysis Presented by Flemming Nielson Informatics and Mathematical Modelling Technical University of Denmark at the 3nd review of DEGAS in.

Chapter 7 – Confidentiality Using Symmetric Encryption.

Chapter 7 Confidentiality Using Symmetric Encryption.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

A Quick Tour of Cryptographic Primitives Anupam Datta CMU Fall A: Foundations of Security and Privacy.

Csci5233 computer security & integrity 1 Cryptography: an overview.

Electronic Voting R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

Secure Remote Electronic Voting CSE-681 Fall 2006 David Foster and Laura Stapleton Laura StapletonLaura Stapleton.

EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.

Key Management and Distribution Anand Seetharam CST 312.

Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.

E-Government, E-Voting, and the Future Jordan Weiler.

6.033 Quiz3 Review Spring How can we achieve security? Authenticate agent’s identity Verify the integrity of the request Check the agent’s authorization.

@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.

TAG Presentation 18th May 2004 Paul Butler

TAG Presentation 18th May 2004 Paul Butler

Chun-Ta Li 1 Min-Shiang Hwang 2,∗

eVoting System Proposal

The Italian Academic Community’s Electronic Voting System

Presentation transcript:

Static Validation of a Voting ProtocolSlide 1 Static Validation of a Voting Protocol Christoffer Rosenkilde Nielsen with Esben Heltoft Andersen and Hanne Riis Nielson Language-Based Technologies, Safe and Secure IT-Systems, Informatics and Mathematical Modelling, Technical University of Denmark

Static Validation of a Voting ProtocolSlide 2 Electronic Voting Protocols Convenient and inexpensive. Several cryptographic approaches. Introduces new ways to disrupt or falsify votings. Must upheld the security properties of the classical paper vote. Need for provably correct systems.

Static Validation of a Voting ProtocolSlide 3 Security Properties Verifiability: Voters can verify that their votes have been counted. Accuracy: 1.No votes can be altered 2.Validated votes count in the final tally 3.Invalid votes cannot be counted in the final tally. Democracy: 1.Only eligible voters can vote 2.Eligible voters can only vote once. Fairness: No early results from the voting can be obtained. Privacy: Voters and their votes cannot be linked together.

Static Validation of a Voting ProtocolSlide 4 Case Study: FOO Voter AdminCounter 1 2. A → V : sign A (blind b (commit r (v))) 3. (V) → C : sign A (commit r (v)) 4. C → : l, sign A (commit r (v)) 5. (V) → C : l, r 1. V → A : V, sign V (blind b (commit r (v))) 1. unblind b (blind b (msg)) = msg 2. unblind b (sign s (blind b (msg))) = sign s (msg) Blinding:

Static Validation of a Voting ProtocolSlide 5 Framework Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 6 LySa-Calculus A process calculus in the π -calculus tradition. The original LySa incorporates the usual cryptographic operations; symmetric and asymmetric encryption. Messages sent on Ether. An extension to the LySa-calculus with the blinding construct was needed in order to analyse the FOO92 protocol. All encryptions/decryptions are annotated with a destination/origin Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 7 LySa-Calculus Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 8 FOO92 in LySa Protocol Narration LySa Annotations Analysis OK Not OK? 2. A → V: sign A (blind b (commit r (v))) 4. C → : l, sign A (commit r (v)) 5. (V) → C: l, r 1. V → A: V, sign V (blind b (commit r (v))) 3. (V) → C: sign A (commit r (v))

Static Validation of a Voting ProtocolSlide 9 Analysis Control flow analysis to safely approximate the behavior of the protocol. Dolev-Yao attacker. LySaTool: An automated tool for verifying security properties of protocols written in the LySa-calculus. Reports any possible violation to the destination/origin annotations. Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 10 Security Properties Verifiability: Voters can verify that their votes have been counted. Accuracy: 1.No votes can be altered 2.Validated votes count in the final tally 3.Invalid votes cannot be counted in the final tally. Democracy: 1.Only eligible voters can vote 2.Eligible voters can only vote once. Fairness: No early results from the voting can be obtained. Privacy: Voters and their votes cannot be linked together. Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 11 Results: Verifiability The voters can independently verify that their vote has been counted correctly. Problem: The publication can originate from the attacker. Solution: The counter signs the publication. 1. V → A : V, sign V (blind b (commit r (v))) 2. A → V : sign A (blind b (commit r (v))) 3. (V) → C : sign A (commit r (v)) 4. C → : l, sign A (commit r (v)) 5. (V) → C : l, r Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 12 Results: Accuracy (2) Invalid votes are not counted in the final tally. Problem: Blinded ballots can be accepted as valid ballots. Solution: Distinguishing between committed values and blinded values. 1. V → A : V, sign V (blind b (commit r (v))) 2. A → V : sign A (blind b (commit r (v))) 3. (V) → C : sign A (commit r (v)) 4. C → : l, sign A (commit r (v)) 5. (V) → C : l, r Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 13 Results: Accuracy (1 and 3) (1) It is not possible for a vote to be altered (3) All validated votes must count in the final tally. Result: Accuracy (1): Perfect cryptography, voter checks his vote in message 2. Accuracy (3): The counter must receive as many votes as the administrator has signed. 1. V → A : V, sign V (blind b (commit r (v))) 2. A → V : sign A (blind b (commit r (v))) 3. (V) → C : sign A (commit r (v)) 4. C → : l, sign A (commit r (v)) 5. (V) → C : l, r Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 14 Results: Democracy (1) Only eligible voters can vote and (2) they can only vote once. Result: Democracy (1): The administrator only signs ballots that originates from eligible voters. Democracy (2): Any eligible voter can only have one ballot validated and the counter will not accept the same ballot twice. 1. V → A : V, sign V (blind b (commit r (v))) 2. A → V : sign A (blind b (commit r (v))) 3. (V) → C : sign A (commit r (v)) 4. C → : l, sign A (commit r (v)) 5. (V) → C : l, r Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 15 Results: Fairness No early results from the voting can be obtained. Result: The attacker cannot learn the votes before the opening phase. 1. V → A : V, sign V (blind b (commit r (v))) 2. A → V : sign A (blind b (commit r (v))) 3. (V) → C : sign A (commit r (v)) 4. C → : l, sign A (commit r (v)) 5. (V) → C : l, r Protocol Narration LySa Annotations Analysis OK Not OK?

Static Validation of a Voting ProtocolSlide 16 Summary Previous work has shown that LySa can analyse protocols for confidentiality and authentication. Voting protocols has different properties: 1.Verifyability 2.Accuracy 3.Democracy 4.Fairness 5.Privacy Using the extended LySa we sucessfully validated four of these properties for FOO92. Framework also applies to other voting protocols: Sensus, E-Vox.

Static Validation of a Voting ProtocolSlide 17 Related Work [FOO92] A. Fujioka, T. Okamoto and K. Ohta, A Practical Secret Voting Scheme for Large Scale Elections, (AUSCRYPT '92) [CC96] L. F. Cranor and R. K. Cytron, Design and Implementation of a Practical Security-Conscious Electronic Polling System, (WUCS-96-02) [BBDNN04] C. Bodei, M. Buchholtz, P. Degano, H. Riis Nielson and F. Nielson, Static Validation of Security Protocols, (JCS’04) [KR05] S. Kremer and M. D. Ryan, Analysis of an Electronic Voting Protocol in the Applied Pi Calculus, (ESOP'05)

Static Validation of a Voting ProtocolSlide 18 Assumptions Perfect Cryptography; Bit-committed votes are unique; The administrator only signs one vote for each eligible voter; The counter is a trusted party; The counter must have received all votes before publishing; The number of votes counted by the counter equals the number of votes signed by the administrator; and All the commitment keys must be received by the counter. Protocol Narration LySa Annotations Analysis OK Not OK?