Security Review: Helios Online Voting

By Orion at 9:55 pm on March 13, 2009Comments Off on Security Review: Helios Online Voting

The Technology

The technology being evaluated is the Helios Online Voting Booth, usable at http://www.heliosvoting.org and outlined in the 2008 Usenix Secuirty paper available at the same site. The election system does not create novel cryptographic tools or algorithms, rather it provides a protocol for using existing cryptography to make an election that is universally verifiable and provides ballot casting assurance as well as voter secrecy. The general outline of the system is as follows:

  • The voter fills out a ballot and then “seals” it by essentially encrypting it with the election’s public key so that only the election administrators can decrypt it.
  • The voter then has the option of verifying that the sealed ballot contains her same choices, if chosen requires the voter to “reseal” it with new randomness.
  • The voter is then authenticated and, if allowed to participate in the election, their ballot is “cast” to the server and the voter receives a copy of their sealed ballot.
  • Upon receipt, the server publicly publishes the voter’s name and sealed ballot so the voter can verify that the sealed ballot is the same as the one cast.
  • Upon election conclusion, the server downloads all sealed ballots from the previously mentioned public place and scrambles and re-encrypts them with a mixnet.
  • The server then decrypts all ballots and tallies the totals, providing proof of correctness.

The paper contains a few proposed improvements to current weaknesses, but I still felt it reasonable to discuss those weaknesses. More information on the broader implications of this system was presented in a Current Events article published earlier today.

Assets and Security Goals

  • The election system needs to provide ballot casting assurance. The voter needs to be able to verify that his/her ballot was received, and received correctly in order for him/her to deem the election valid. The makes sure that the voting system cannot change or destroy a voter’s ballot without the voter being able to find out.
  • The election system needs to provide universal verifiability. Anyone must be able to independently and externally verify that all votes that were received were, in fact, counted and counted correctly in order for the election to be known to be valid. This, with the above, makes sure that not even the election administrators can tamper with the election.
  • The election system needs to provide voter secrecy. It should be impossible for anyone to link a voter and his/her vote in order for voters to be free to vote for whomever he/she wants without fear of punishment.

Adversaries and Threats

  • Anyone (including the election administrators) wishing to fix an election for monetary, religious, or political gain may try to change or destroy ballots or tamper with ballot counting without being discovered.
  • Anyone wishing to discover who voted for whom may try to link individual voters and ballots, either during or after voting.

Potential Weaknesses

  • It is possible, just after the voter casts his/her ballot, for a corrupt router to intercept the ballot en route to the Helios server and send the user a fake Helios server success code, causing the “voting booth” to immediately display a false success message and clear the ballot from memory. At worst, the voter fails to later check that their ballot was recorded on the server before the end of the election and his/her ballot is never counted. At best, the voter realizes their vote was not counted and has to cast a new ballot.
  • As it currently exists, if the election administrator allows Helios to administrate the election (as it seems they suggest doing), it is possible for a corrupt Helios server to create new, fake voters and cast ballots on their behalf without easily being discovered. Since the system relies upon voters validating their votes, it would be difficult to distinguish between actual voters who didn’t validate their vote and server-generated voters.
  • As the client-side code utilizes jQuery, LiveConnect, and Java BigInteger libraries, any vulnerabilities or cryptographic insecurities in that code could potentially be exploited to tamper with the election.
  • As currently implemented, the election administrator (who has the power to add voters and freeze the election) is authenticated through Google Accounts. Any vulnerability in the login (weak password, easily guessed security questions, etc.) could allow an attacker to end the election prematurely or add additional voters (potentially multiple accounts for the same voter).

Potential Defenses

  • The main defense the Helios system uses to prevent the sort of ballot manipulation or rejection described in the first weakness is to provide open-source tools for the user to verify that the ballot they have created (but not yet cast) does indeed contain the desired voting preferences. This seems to be the best-possible solution short of forcing the user to verify their ballot because it should be inherently impossible to validate the values in a ballot after it has been cast (otherwise others could view the values as well).
  • The Helios defense against a corrupt Helios administering a server and creating fake voters is to provide means for other election administrators to acquire and store the election’s private key necessary for decrypting the votes.

Risks and the Big Picture

  • The risks associated with this sort of system are nothing less that selling democracy to the highest bidder, or at least the one with the most computing power. If this sort of system were eventually used for a governmental election, the key lengths (currently 1024) would need to be significantly larger because the stake is so much higher. All of a sudden the researchers with 10,000 PS3 cells, or the BBC with a botnet of 10,000 computers might be able to crack encryption keys and tamper with ballots or fake election results. Since this system is based upon computational security, it needs to be implemented in such a way that even the best of the FBI cannot affect the results. Otherwise the currently established government could control all subsequent election results.
  • Most of the risks can be alleviated through complete voter validation of their ballots in combination with auditing of the election results given the provided proofs of correctness which are part of the system. If many voters do not do this, however, then it is possible for many security flaws to go unnoticed.

Conclusion

The general idea is that here is finally a system which seems to hint that it may be possible to design an electronic voting system that is secure and transparent. The details have obviously not been ironed out, and may not be for some time, but the spirit of the system is enough to provide some hope in this era where Diebold Premier Election Solutions voting booths are still being used in US elections. The Helios system is not the solution, but it is a step in the right direction, if for no other reason than Kerckhoffs would be rolling in his grave if he knew how we trusted Diebold’s secret code to run this democracy. When not even the government in charge of an election can alter its outcome without the public being able to check, elections may finally be able to be trusted.

Sources

http://www.physorg.com/news155473407.html
Adida, B., Helios: Web-based Open-Audit Voting, Usenix Security 2008

Filed under: Integrity,Privacy,Security ReviewsComments Off on Security Review: Helios Online Voting

Comments are closed.