Page 95 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 95
A Secure Architecture for Voting Electronically (SAVE)
87
the election process to the otherwise secure communication channels. In-
cluded with this type of threat are the distributors of the code, as well as
the hardware providers.
External Hackers. To date, external hackers have not had enough time and
access to voting systems to hack them. Closed-Source voting systems such
as Diebolds, which was found on an open FTP server in source code form,
have appeard to have stark weaknesses [8,24,5,13]. That is, when Diebold’s
source code was exposed in this example, many vulnerabilities were easily
visible to the programmers reviewing the code. With experience with the
protocols and enough time– if a system is communicating over open lines–
outside hackers could modify, delete and/or record messages between system
components. If the system is not over anopennetwork, this threat isof
far less concern. Access to code would enable hackers to analyze the user
interface and external ports for control codes that enable special modes
in which votes can be changed, added or deleted. In the vast majority of
voting systems which do not keep ballot images, the counts could easily be
manipulated without recourse.
Malicious Voters. A voter gaining access to the system could try to vote more
than once or as another person, or try to steal the votes of other individu-
als. Without gaining access to the system, voters may attempt to use phony
smart-cards, claim/demonstrate that the phony card does not work and ob-
tain a second valid card. While to date care has been taken to limit access to
smart cards or other methods to opening a poll, it is possible and important
to improve access control to the voting act.
Corrupt Election Officials. Election officials may be interested in more than
running a fair election. Often such officials are political appointments, and
as such may be subject to influence. In addition, poll workers may also have
ulterior motives in their work. Thus, it is extremely important to design
an architecture that would be resilient to and expose intentional fraudulent
behavior on the part of election workers and officials.
By implementing multiple, diverse versions of each part of the voting system, as
in SAVE, the evil development company suddenly can no longer compromise the
entire voting process. External hackers and corrupt election officials have many
more systems to analyze and compromise. Finally, malicious voters would now
have to overcome a registration system that actually marks their ballot with an
authentication code, preventing double voting.
3.3 Security of Paper Systems
Paper voting systems have a number of possible failure modes, as well as pos-
sible attacks. Even the best-practice methods of hand counting are more error-
pronethan electronic means, and most paper systems involve electronic scanning
and tabulation [9]. They still present several attacks that must be anticipated,
and countered. This section summarizes some attacks at various stages of the
voting process.
