UConn paper warns of limitations of cryptography

We have just become aware of an excellent paper from the University of Connecticut (UConn):  Integrity of Electronic Voting Systems: Fallacious Use of Cryptogrphy <read>

The report describes the limits of cryptography to protect the integrity of election equipment, our votes, and ultimately our democracy. They also provide a memorable phrase widely applicable beyond cryptography and elections:

Use of good tools must go hand-in-hand with good use of tools. In particular, severe security deficiencies have been reported in electronic voting terminals despite the use of cryptography. In this way, superficial uses of cryptography can lead to a false sense of security. Worse, cryptography can prevent meaningful independent technological audits of voting equipment when encryption obfuscates the auditable data. A vendor may provide its own test and audit tools, but relying on the self-test and self-audit features is problematic as one should never trust self-auditing software (cf. relying on a corporate entity to perform self-audit).

They the describe the challenges and limitations of using cryptography in general, the general vulnerabilities in the Diebold-Premier-Dominion AccuVote-TSx, and demonstrating two specific attacks:

we designed and tested two attacks against the AV-TSx terminal. In the first, the attacker wishes to swap votes received by two candidates. The attacker can be successful provided that the sizes of the two files that define the candidate representation in the digital slate are identical. We found that is not a rare occurrence and in fact our test election contained such pairs of candidates. The swapping was applied to the name definitions of the two candidates and included the integrity check. In the second attack, the attacker simply wishes to make one of the candidates disappear from the slate. This can be achieved though a modification of the file that defines the layout of the candidate’s name.

All our findings are based on straightforward experimentation with the voting terminal; we had no access to internal or proprietary information about the terminal or access to source code.

They point that systems are vulnerable because of their complexity:

Two observations are critical in this respect: (i) The safety and correctness of a large system is only as good as its weakest link. Additionally, a single failure — whether benign or malicious — can ripple through and affect the entire system. (ii) Procedural counter-measures can be used to mitigate the weaknesses of the system, however, in a large system relying on many distributed procedural elements, the probability of a procedure failure can be extremely high, even if each individual procedure fails with small probability.

They also provide examples of other measures which provide vulnerability

Cryptographic techniques can mitigate the risks of attacks against removable media cards. The level of protection depends upon the strength of the cryptographic techniques, upon the safekeeping of the digital keys used to protect the cards, but also upon the safe-keeping of the voting terminal themselves. Indeed, the firmware of the voting terminal necessarily holds a copy of the digital keys used to protect the removable media. A successful attack against the terminal compromises those keys that an attacker can use to produce forged, compromised removable media cards. This situation is analogous to one where a person always hides a physical key under the doormat – knowing where the key is hidden defeats the purpose of having a lock. The trust in the whole system depends on the vendor diligence in…

Once a card is programmed on EMS, it is shipped to the election officials to be inserted into the voting terminal where it stays for the duration of the election before being shipped back for aggregating the results (where central tabulation is used). The integrity of the card during the entire process is critical to the integrity of the election.

If the card can be tampered with while in transit to the precinct election officials, the entire system can be compromised. The election description can be made inconsistent with the paper ballot leading to an incorrect interpretation of the votes and therefore incorrect tallying.

Implications for Connecticut

Although we use the AccuVote-OS and this report is on the AccuVote-TSx many similar risks apply, even if the AccuVote-OS makes less use of cryptography. As the UConn report points out:

in 2005 H. Hursti released his findings on the Diebold OpticalScan system (the so-called “Hursti Hack”). This was an early design that used only a superficial password protection to secure the system. Newer designs normally incorporate some cryptographic tools; however, the application of the tools remains haphazard.

That is the same system in use today, everywhere in Connecticut.



Leave a Reply

You must be logged in to post a comment.