Irish eVoting Vetoed

David Wagner daw at cs.berkeley.edu
Wed Jul 5 03:11:00 EDT 2006 

>The Irish government's commission's report on the NEDAP/Powervote system 
>has been published. (PDFs on the site)
>
>http://www.cev.ie/htm/report/download_second.htm
>
>As a secure system, it leaves a lot to be desired and it seems to be an 
>example in how not to implement an eVoting system. Just reading the 
>report, I am beginning to wonder which has more holes - a lump of 
>activated charcoal or this eVoting system.

Agreed.  I think the quality of the technical analysis in the report
is a disappointment.  The report states the Commission's opinion that
the voting machine can be trusted.  However, the technical content
of the report is, in my opinion, starkly at odds with that conclusion:
  1) The report discloses several vulnerabilities that ought to raise
  questions about the security of the system.
  2) Moreover, there are frank admissions of major gaps in the
  Commission's analysis.  These revelations suggest to me that
  there is, at present, no rational basis for confidence in the
  correct operation of these voting machines.
After reading the report, I suspect that no one knows whether the system
is trustworthy or not (and that includes the Commission and all the
Commission's experts).  To be clear, I am not claiming that the system
is known to be untrustworthy; but neither is it known to be trustworthy.

It seems to me that the technical material in the report would better
support the conclusion that there is no convincing evidence that the
voting machines are fit for purpose.  I find the report's defense of the
voting machines unpersuasive.  It is puzzling to me why the Commission
is willing to recommend the voting machines.  I feel bad for any Irish
citizens who may be forced to rely on these machines in their election.


Let me share some quotes from the report that stuck out for me, along
with some commentary discussing my reaction to those quotes:


``The Commission has not conducted a line-by-line review of the software
embedded in the voting machine.'' -- p.60

  My comments: This is a confession that the Commission has no idea
  whether the system is trustworthy or not.  For all we know, a Trojan
  horse or malicious logic could be hidden somewhere in the source
  code.  The only way to detect such malicious code is by inspecting
  the source code.  When some of the source code is left uninspected,
  we have no way of knowing whether that uninspected part of the code
  might contain malicious logic.  Because the software is written in
  C, a single piece of malicious logic hidden anywhere in the code can
  subvert the working of the entire system.  Consequently, there is no
  rational basis for confidence that the system is free of backdoors.
  The Commission has no idea whether these voting machines might contain
  hidden backdoors -- and neither do I.


``further analysis, investigation and testing, and possibly amendment
of the C code [embedded in the voting machine] will be required.'' -- p.96

``the carrying out of substantive testing or verification of the system
lies beyond the scope of the Commissionts remit'' -- p.112

  My comments: The Commission recognizes that its own analysis of the
  source code is lacking.  Why are they willing to recommend the system
  before they have performed the analysis that would be needed to
  determine whether the system is trustworthy or not?


``The Commission has observed no mechanism within the system that would
enable operators, observers and voters to satisfy themselves independently
that the hardware and software of the voting machine are authentic and
that they are correct versions that have been tested and certified and
that have been approved for use by the electoral authorities.'' -- p.61

``it is not readily possible, nor is it required by prescribed procedures,
for operators or others to confirm independently that the version of the
C code installed on the voting machine or the programming/reading unit is
the correct version and to verify that it has not been altered.'' -- p.97

  My comments: This is a potentially significant vulnerability.  It is
  an admission that, if someone found a way of tampering with the code
  installed on the voting machines, election officials would have no way
  of detecting such tampering.


``data on ballot modules [e.g., electronic votes files] is not
cryptographically signed to prevent unauthorised alteration'' -- p.72

``The tests carried out by the Commission indicated that it would be
possible to access data, including votes, transmitted on CDs and to
alter the data without detection: [...] data, including votes, on CD is
not cryptographically signed to prevent unauthorized alteration [...]
There are thus significant hardware and data security vulnerabilities
associated with the use of CDs [...]'' -- p.88

  My comments: Another admission of a serious vulnerability in the system.
  The Commission has concluded that vote records can be tampered with
  while they are in transit, and that there is no way to detect such
  tampering, and that there are no satisfactory mitigations present.
  It seems to me that this vulnerability casts doubt on the integrity
  of the whole election.


``The storage location of a vote within each memory location of a ballot
module is determined pseudo-randomly, using the timer of the voting
machine as a seed in the case of the first vote to be stored. Thereafter
each vote is stored either immediately before or immediately after the
other votes that have already been stored, with the question of whether
it is stored before or after also being determined pseudo-randomly. If,
as further votes are stored, a vote cannot be stored before the other
votes as determined by this method, then it is stored after them (and vice
versa) until it is no longer possible to add votes to the ballot module.''
-- pp.66-67

  My comments: The commission describes the algorithm used for vote
  storage, without realizing that in so doing they have revealed a
  significant defect in the ballot secrecy protections.  The secrecy
  of the ballot implies a technical requirement regarding how votes are
  stored: someone who gains a copy of the electronic vote records after
  the election should not be able to link votes to the people who cast
  those votes.  However, the algorithm described in the report violates
  this property.

  Let me describe an example attack on the secret ballot, that is
  introduced by this flawed vote storage algorithm.  If I have a copy
  of the data stored on the ballot module, then I may be able to deduce
  how some individual voters have voted.  For instance, if I am present
  as an observer at the polling place, I can see who was the last person
  to cast a vote on the voting machine.  If I also have the electronic
  vote records for that voting machine, I can narrow down which ballot
  was cast by the last voter down to one of only two possibilities: it
  must be either the very last vote stored in the sequential vote record,
  or the very first vote stored.  This is a violation of the principle
  of the secret ballot.
  
  It is cause for concern that the Commission failed to notice this
  (rather obvious) defect in the vote storage mechanism.  It raises
  questions about the competence of the technical advice that the
  Commission received.  It also raises questions in my mind about what
  other defects they may have missed in their analysis of the rest of
  the system.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list