Upload
ferdinand-bradley
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
The Punchscan Voting SystemRefinement and System Design
Rick CarbackKevin Fisher
Sandi Lwin
May 8, 2006
New and Significant
• Punchscan implementation with current technology– requirements of hardware and software– Verification of software
• Data flow
• Interfaces
• Security properties of the system
Outline
• Punchscan Revisited
• System Design
• Data Flow
• Hardware and Software Components
• Interfaces
• Security Properties
• Conclusion
Punchscan Revisited
Punchscan Revisited
• Mark the hole with the character matching your choice.
• Split the two sheets. Scan one, shred one.
The Punchboard
Before the election, tables are generated like the ones above.
The Punchboard
Before the election, this is posted on the bulletin board. The grey boxes cover up how the ballots look
and are decoded.
The Punchboard
Next, the auditor chooses half the rows.
The Punchboard
After the election, officials fill the tables and release receipt halves.
The Punchboard
Auditors choose to reveal the left or right half of Decode.
System Design
Meet the Weebles!
Stage 1: Initialize Election
Stage 2: Pre-Election
Stage 3: Election Day
Stage 4: Post-Election
Data Flow
Data Flow
Hardware and Software
Ballot Authoring Software
• Operation–Defines how Ballot looks–Gives questions in required languages
• Low security–Works only with public data–Output independently verified on webserver –Access to webserver should be turned off after data is uploaded
Printer
• Must use secure paper
• Cannot keep ballot information–data fed to printer must also be destroyed/erased.
• Must fold the paper and punch the
hole in the top page.
Scanner
• Must be properly calibrated
• Only sends positions to the web server,
nothing else.
Shredder
• Must completely destroy the
half of the ballot the voter discards–Crosscut shredder–Incinerator
Web Server
• Needs load balancing to avoid DoS
• Needs strict access controls– Essentially all the things you would do to secure any web server on the Internet
• Database should be protected
• Has implications to voter confidence…
Diskless Workstation
• Permutation generation
• Generate printable ballots
• Encrypted with printer’s key
• Ballot counting
• Software verification
• Boots and runs software from
Linux Live CD
• Use hashing
• Computer with no hard drive
• Does not save data between meetings
Interfaces
Interfaces
• XML
• USB
• SQL Queries
Security Properties
Security Properties
•Subliminal Channels
•Scanner only records positions •Social Engineering
•Simplicity is the Key
•Denial of Service•Scanner Calibration Attack•Destroy Vote before Scanning Phase•Destroy equipment (scanner / Internet connection)•Destroy paper ballots•Spoil Punchboard•Spoil Printed Materials
Future Work
Future Work
• Implement defined elements with modern hardware and software
• Expand security discussion into formal attack tree
• Invite discussion, analysis from e-voting community
The End