Joey Chau
Mark Dlugokencky
Lauren Dana
Rosenblatt
Kevin Sheu
Security and Privacy
in Computing 600.443
E-Voting Project Part I
Abstract
The goal of our voting system is to efficiently computerize elections, while not giving up any of the security and anonymity already present in the current system. We would like to feasibly increase the ease at which individuals can vote with respect to ballot appearance, location and technology. In the process, we would like to increase voter turnout as well. With all of this in mind, we have decided to design a system for kiosk voting. This format provides additional convenience over standard poll site voting, while not engaging in the large scale security issues faced by an Internet/remote access design. We believe that the Internet at its current state is too insecure to support a web-based voting system.
Functional
Requirements
Accuracy and Integrity Votes must be correctly tallied and verified by the individual casting the votes. There should also be multiple backup systems to provide for a way to confirm the accuracy. Votes cast from individual kiosk computers should be stored and a hardcopy backup should be produced as well. The final tally should be computed by a central group mandated by the U.S. Government. The government specified protocols would be used at every voting site with the appropriate candidate names in each district.
Eligibility, Authentication, and Uniqueness The system should accurately and unambiguously record the intention of each voter. In order to preserve fairness of elections, the system must only allow authorized users to cast ballots. Only a single ballot may be cast per registered user. After a voter casts his or her vote, his vote must be properly stored in order to prevent loss.
Provide an Audit Trail The system needs to contain a both a computerized and a backup paper method for recounting or verifying the number of votes and voters in case of a dispute. This will require the system to retain an anonymous record of each vote and also a record of the individuals who voted (to prevent dead voters).
Separation of Voter
and Vote Users must be assured that their vote will not be connected with
their identity in any way. There
should be an obvious separation regarding the storage of votes and who has
voted.
Convenience The
system should be capable of being seamlessly integrated into the current
election architecture. A complex
system that greatly differs from the current voting procedures may not be
accepted by the voting population.
Simple and
Unambiguous User Interface A simple and unambiguous user interface will
lead to faster adoption by the voting population. More importantly, it prevents mistaken
votes by confused voters, which was revealed to be a significant error in
Cost-Effective The kiosks would be simple terminals connected to a central distributed ballot database which would contain the ballots for each city and county. The terminals would be simple computers with the minimum features necessary to keep costs down.
Remote Voting Any individual would be able to access any kiosk and be able to access and vote for the candidates in his or her area of registration. Maintaining such a system would allow great flexibility for voters. The kiosks would simply be a terminal that would access a central database for a voters home candidates even if they were not at their home location.
Feasibility and
Necessity of Functional Requirements
Of utmost importance to the system is not compromising public
confidence in the election process.
The first four of the above-mentioned requirements must be fulfilled as
they directly apply to the systems integrity; the remaining requirements are not
necessities, but are improvements on the current system. Providing an audit trail makes available
a mechanism to verify the accuracy of the system. The system must accurately record, and
count the votes of each voter.
Failure any of these requirements will greatly damage voter confidence
that the votes cast will truly count as they were intended.
Although not all of the requirements are necessities in the system, they
all will encourage acceptance of the system. In addition, they will improve upon the
current system where there are mistaken votes, and often confusion within the
voting system.
All of the listed functional requirements can seamlessly be built into
the design and implementation of the system. The cost should also be relatively
acceptable.
Security
Requirements
User Authentication It is extremely important that the voting integrity of each voter be carefully protected. This may require a change in the voter registration process to provide for secure keys to access and utilize the system. Protecting against identification fraud is a necessity. The integrity and secrecy of each voters ballot must be maintained.
Client Server Communication The link over which all communication of voter results will be combined and tallied must be carefully monitored. Intruders should not be able to view results or any other transactions. The system should provide some ability to check for this communication integrity. If a malicious agent has manipulated any information, either the client or server should be able to recognize the modification.
Malicious Payload The system should be capable of defending against the delivery of a malicious payload. This includes prevention, detection and deletion of the payload if it cannot be completely prevented.
Denial Of Service The system should be capable of defending against or maintaining operation during any denial of service attacks. The centralized tally decentralized tally centers must be able to receive all communication.
Fraud and Coercion The system must protect against certain social issues such as fraud and coercion during the election process (as our current system attempts to do). There should not be any way for politicians to influence voters after they enter the voting area.
Encryption There must be some sort of public key encryption (possibly DES) for all of the data. Everything the user inputs should be encrypted before it gets transmitted. The encryption scheme must be secure enough to have no possibility of being broken on election day and the following audit period.
Feasibility and
Necessity of Security Requirements
All of the security requirements are necessary for the system to work
properly. If too many are not met,
the integrity of the entire system, as well as the election process as a whole,
will be destroyed. However,
depending on the type of internet polling, not all of them are completely
feasible.
There is currently no durable prevention of a denial of service
attack. This makes this requirement
highly infeasible in a Remote Internet Voting environment. However, in a Polling Place Internet
Voting environment, as we are proposing, it is completely possible that
individual machines, maintain unconnected functionality during an attack, and
simply reconnect when the attack has ended.
The defense against a malicious payload may require unique
technology. As a result, a unique
and secure operating system, and web browser can be provided. However, this would be extremely
difficult in a Remote Internet Voting environment where there is a diverse
population of operating systems and web browsers which contain a variety of
security flaws. It is more likely a
consideration for Polling Place Voting environments.
Ballot integrity and secrecy can be protected with use of encryption
technology both within the kiosk and during transmission as
well.