Glass Box Voting

Prime III is a system developed at Auburn U. The reviewer says:

At first eye the system appears really well designed. The voter may vote by touch screen and/or by voice in a very intuitive way. If the touch screen has been compromised the voter uses the microphone to express her will. None can understand what the voter is doing because the Prime III links randomly the candidate’s names with number of BEEP that the voter may use to cast the ballot. So for example if there are two voters at the same time that wanna vote for the same candidate they will speak different sequences of BEEP. Moreover Prime III utilizes a dynamic imposter file organization which dynamically generates random signed ballot file into a complex folders system, where only one is the correct one. The real vote folder is determined by an input key set by the election administration official. The whole system runs on SELinux versions where takes the logs informations if necessary.

I will need more information to determine how secure this really is. The Prime III page (click “visual examples”) says, “Each file, whether real or an imposter, is encrypted with Triple Data Encryption Standard (Triple-DES), Advanced Encryption Standard (AES) or other encryption algorithms. The encryption method used for the imposter files are pre-assigned and may vary from precinct to precinct.”

Use of encryption is dandy, but the above statement tells us nothing about how this encryption is achieved and how it protects anything. I need more information on their key management practices before I buy their claim that encryption actually does something in their system.  It sounds like their system requires long term symmetric keys, which can have terrible consequences if compromised, and yet must be retained for the duration that the system is operating.

The randomized folder names strikes me as security by obscurity, which is worthless against a determined attacker.

I wonder how the dummy votes are generated - if those are random, can the real votes be distinguished from the random ones by statistical analysis of the contents?

Their process of “voter verifiable video audit trails” as a way of achieving software independence is interesting. I hope their video logs are hard to alter (displaying time on the UI would prevent replay attacks, for instance).

This entry was posted on Wednesday, March 12th, 2008 at 1:27 am and is filed under general. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.