Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strasbourg – How to create trust-1 © G. Skagestein November 2006 How to create trust in electronic voting over an untrusted platform A possible solution.

Similar presentations


Presentation on theme: "Strasbourg – How to create trust-1 © G. Skagestein November 2006 How to create trust in electronic voting over an untrusted platform A possible solution."— Presentation transcript:

1 Strasbourg – How to create trust-1 © G. Skagestein November 2006 How to create trust in electronic voting over an untrusted platform A possible solution and its implications with regard to the Recommendation Gerhard Skagestein University of Oslo Development in the field of e-voting Council of Europe Strasbourg 23-24 November 2006

2 Bregenz-2 © G. Skagestein November 2006 Strasbourg – How to create trust-2 The background  In 2004, the Norwegian Ministry of Local Government and Regional Development appointed a working group for giving recommendations on the future of electronic elections in the country.  The results were published in January 2006, see the report Electronic voting – challenges and possibilities – see http//:www.e-valg.dep.no  This presentation discusses one important topic in the report, namely how to achieve trust in e-voting over an insecure system like a home PC connected to Internet.

3 Bregenz-3 © G. Skagestein November 2006 Strasbourg – How to create trust-3 e-voting i Norway?  No political decision on we should have e-voting at all  … and if e-voting, should it then be only in supervised environments  … or also in unsupervised environments (so-called remote voting)?  Public comments indicate skepticism against e-voting in unsupervised environments

4 Bregenz-4 © G. Skagestein November 2006 Strasbourg – How to create trust-4 Some basic principles The working committee maintains that  Traditional paper voting should coexist with e-voting  e-voting should be available only during the advanced voting period (called phase 1))  i.e.: No e-voting on Election Day (called phase 2)  Same technological solution for e-voting in both supervised and unsupervised environments oSame program –> same user interface, same operational procedures, same security measures, less amount of programming code to maintain, test and certify oi.e. a technical solution must be feasible in unsupervised environments, even though it may be used only in supervised environments

5 Bregenz-5 © G. Skagestein November 2006 Strasbourg – How to create trust-5 e-voting in supervised environments Datanett Datanet Voter Ballot- receiving server Ballots Voting client Supervised environment, trusted system Verifi- cation log

6 Bregenz-6 © G. Skagestein November 2006 Strasbourg – How to create trust-6 e-voting in unsupervised environments  How can we achieve the voters trust in the complete system when a part of it is not trustworthy?  How can we establish a trustworthy Verification log? Datanett Datanet Voter Ballot- receiving server Ballots Voting client Unsupervised environment, partly untrusted system, voter has no possibility for immediate inspection of the verification log Verifi- cation log Untrusted system

7 Bregenz-7 © G. Skagestein November 2006 Strasbourg – How to create trust-7 Some observations…  If you have something that you do not completely trust, you compensate by trying to build in security into the levels above  Why do we trust Internet banking? owe can check the statement of account oif something goes wrong, the bank takes the blame (usually).

8 Bregenz-8 © G. Skagestein November 2006 Strasbourg – How to create trust-8 Possible e-voting solutions  Redundancy: Let the voter send several ballots, possible through different channels, and let the system compare notes oCumbersome for the voter oThe voter may still feel insecure  Feedback control: Let the voter inspect the ballot as it is registered in the trusted part of the system (analogous to checking the statement of account in Internet banking)

9 Bregenz-9 © G. Skagestein November 2006 Strasbourg – How to create trust-9 Feedback through another channel Datanett Datanet Voter Ballot- receiving server Ballots Voting client Verifi- cation log Untrusted systems  But what about the secrecy of the vote? (The Recommendation, Standard 17) Ballot- inspecting server SMS-nett SMS-net Trusted system

10 Bregenz-10 © G. Skagestein November 2006 Strasbourg – How to create trust-10 Multiple casting of ballots Datanett Datanet Voter Ballot- receiving server Ballots Voting client Verifi- cation log Untrusted systems  Voter is allowed to send several ballots – only the last one is regarded as the e-vote  Voter may override any e-vote by a traditional paper ballot on Election day Ballot- inspecting server SMS-nett SMS-net Vote- extracting server Votes Run only when election is closed

11 Bregenz-11 © G. Skagestein November 2006 Strasbourg – How to create trust-11 On Election Day…  … the Election officials will have access to an updated Voter register, where the e-voters have been marked  When an e-voter shows up in the polling station, the Election official will send an ”annul-ballot”-message to the e-voting system before allowing the voter to vote by traditional means (i.e. anonymous paper ballot in a supervised environment)

12 Bregenz-12 © G. Skagestein November 2006 Strasbourg – How to create trust-12 Several ballots from the same voter?  Why? oAlleviates the ”family-voting” problem oAlleviates the vote-buying/selling problem oMaintains a certain level of secrecy – even when ballot-inspection is possible …because nobody can know whether the current ballot will be the final one oTechnically, it comes next to free – as a side effect of the mechanism to ensure only one valid vote from each voter  Why not? oMay reduce the solemnity of voting oMust maintain the connection between the voter and the ballot until the end of the election (increased risk of loss of secrecy)

13 Bregenz-13 © G. Skagestein November 2006 Strasbourg – How to create trust-13 What about the secrecy of the vote? Wouldn’t this solution increase the risk for disclosing the secret vote to other people? Yes, but  the ballot-inspection server should authenticate the voter just as thoroughly as the ballot-receiving server  with the session key (see later), the ballot can only be inspected, not modified  it is the responsibility of the voter to keep the session key unavailable to other people  if the ballot is disclosed, there is no way to know whether this is the final ballot and the vote to be counted

14 Bregenz-14 © G. Skagestein November 2006 Strasbourg – How to create trust-14 The technical solution  The technical solution builds upon the principle of hybrid cryptography

15 Bregenz-15 © G. Skagestein November 2006 Strasbourg – How to create trust-15 The hybrid crypto principle  Symmetric cryptography: The same key is used for encryption and decryption of the message  Asymmetric cryptography: One key of a key pair is used for encryption, the other key of the key pair for decryption of the message  Hybrid cryptography: The message is encrypted symmetrically by a randomly selected session key, which is then encrypted asymmetrically. To decrypt, the session key is decrypted asymmetrically, then the message is decrypted symmetrically with the session key.

16 Bregenz-16 © G. Skagestein November 2006 Strasbourg – How to create trust-16 The session key  Hybrid crypto with a session key is traditionally used for efficiency reasons  In this solution, we use the session key also to allow the voter to inspect his registered ballot  To be able to inspect the ballot, the voting client must keep the session key  For inspecting the ballot through other channels, the session key must be transferable to the client on the other channels

17 Bregenz-17 © G. Skagestein November 2006 Strasbourg – How to create trust-17 Encrypted ballot Ballot Encrypting with the session key Digital signing with voter’s private key Digitally signed, encrypted ballot Ballot database Electronic voting with ballot-inspection Encrypting with the public key of election event Removing outer envelope with voters public key Decrypting ballot with the session key Ballot (as registered) Vote counting G. Skagestein et. al: How to create trust in electronic voting over an untrusted platform. In Krimmer, R. (Ed.): Electronic Voting 2006, GI Lecture Notes in Informatics, P-86, Bonn, 2006. Election event key pair Voter’s key pair Session key

18 Bregenz-18 © G. Skagestein November 2006 Strasbourg – How to create trust-18 Envelope opening Ballot database Vote extraction Encrypted anonymous e-votes Verification of digital signature with voters public key List of e-voters to be marked in the voter register Decrypting the session key with the private key of the election event e-votes to be counted Decrypting the votes with the session keys Votes Voter register

19 Bregenz-19 © G. Skagestein November 2006 Strasbourg – How to create trust-19 Datanett Datanet SMS-nett Ballots Ballot- storage server Voter register Ballot- inspection server Ballot- annulling server Election official Voter register Ballot forms Voting client Voter SMS-net Fire- wall annul-ballot message annuling (”red”) envelope Ballot- receiving server Untrusted system Architecture of the e-voting system to the vote-counting system annul Verifi- cation log

20 Bregenz-20 © G. Skagestein November 2006 Strasbourg – How to create trust-20 Election is closed – time to count Valid-vote extracting server constituency Vote-counting server Security module Integration of ballot files Electronic ballot box Private key of election event Electronic votes list Voter register Checked voter register From the e-voting system in case of distributed storage of ballots Ballots annul

21 Bregenz-21 © G. Skagestein November 2006 Strasbourg – How to create trust-21 Identification and authentication of the voter  Identification and authentication of the voter should be done by a generally available PKI-system (citizen identity card) ocheaper that a special purpose election credential othe voter will not be tempted to sell it  The e-vote may be connected to the voters real identity, or to a derived pseudo-identity othe working committee recommends using the real identity, since this makes the annulment of e-votes on Election Day easier if the voter wants to cast a paper ballot

22 Bregenz-22 © G. Skagestein November 2006 Strasbourg – How to create trust-22 Basic Design Principles  e-voting is allowed in phase 1 only  Repeated casting of e-ballots is allowed – last ballot counts (The Recommendation Standard 5?)  The e-voter is allowed to inspect his e-ballot as it is registered (The Recommendation Standard 17?)  Traditional voting with paper ballots in supervised environments on Election Day (phase 2) is maintained  Any paper ballot takes precedence over the e-ballot

23 Bregenz-23 © G. Skagestein November 2006 Strasbourg – How to create trust-23 Summary  We have shown that by relaxing the requirement for an absolute secrecy of the vote, the vote as registered may be inspected by the voter  This possibility for inspection gives the voter trust in the untrusted part of the system  The loss of secrecy is compensated by the possibility to revote, even by traditional means on Election Day  The Election Day should be kept free of any kind of e-voting  The coexistence of e-voting and traditional paper ballot voting makes a soft transition possible  The solution complies with the intentions of the Recommendation, although not always with its wording.  Some rewording in the Recommendation?


Download ppt "Strasbourg – How to create trust-1 © G. Skagestein November 2006 How to create trust in electronic voting over an untrusted platform A possible solution."

Similar presentations


Ads by Google