Bachelor project - Aegis Digital Voter List
Contents
1. PasswordPage password is shown 6 Choose Export Data two prompt appears Yes None under the File Menu one asking for the mas ter password and one asking for the destina tion of the data If both are valid the data is ex ported to the location 7 Choose Mark Voter un two prompts appears Yes None der the File Menu one allowing you to type the CPR number of a voter and one asking you for the master pass word If the master password is correct a prompt shows whether or not the voter is eligi ble for a ballot DataLoadPage 8 Press N ste on the Dat redirection to the Yes None aLoadPage with data OverviewPage and key selected in the right format 9 Press Naeste on the Dat A prompt telling you No An Exception is thrown aLoadPage with data the import was not suc selected in the right for cessful mat but the key in the wrong format 10 Press N ste on the Dat A prompt telling you No An Exception is thrown aLoadPage with both the import was not suc data and key selected in cessful the wrong format 11 Press N ste on the Dat A prompt telling you Yes None aLoadPage with key se the import was not suc lected in the right for cessful mat but the data in the wrong format 12 Press N ste on the Dat A prompt telling you Yes None aLoadPage with no key the import was not suc and no data selected cessful 13 Pressing the Tilbage redirection t2. StationStatuses Class gt List lt StationStatus gt gt Window 64 Aegis DVL User interface Station Window E Methods ExitClick ExportDataClick HelpClick MarkVoterClick OnClosing StationWindow Class gt Page T El Methods 5 BallotRequestP 5Q BallotResponse 5 BecomeManager a CheckValidityB 9 EndElection IsNumeric PastingHandler PreviewTextinp VoterCardNum WaitingForMan Class Page T El Methods Y BackButtonClick 7 IncomingConn 79 SetPasswordLa StartElection 5 WaitingForMan AcceptManager Class Window El Methods 5Q AcceptManage Y CancelButtonCl Y OkButtonClick Y PwTextboxPass TypeChoicePage Class Page E Methods Y ExitButtonClick Y ManagerButton Y StationButtonCl 4 TypeChoicePage El Methods E AnnounceEndEl BallotRequestR CreateNewStati DiscoverPeers DisposeStation ElectionEnded ElectionStarted EnoughPeers EnoughStations ExchangeKeys GeneratePassw GetPeerlist ImportData ImportElection IsMasterPWCor IsNowManager IsStationActive MakeManager ManagerAnnou NotEnoughPeers RemoveStation RequestBallot RequestBallotO ShowPassword ShowPassword Shutdown StationExchang UiHandler BallotCPRReque Class Window El Methods BallotCPRRequ BallotResponse CancelButtonCl CPRTex
3. 686 Revision 197 687 Author Skovvart 688 Date 2012 05 02 21 04 689 Message 690 691 Revision 196 692 Author Skovvart 63 Date 2012 05 02 20 57 64 Message 695 69 Revision 195 697 Author Skovvart 698 Date 2012 05 02 18 51 699 Message 700 700 Revision 194 702 Author Aaes 703 Date 2012 05 02 18 51 704 Message 705 706 Revision 193 707 Author Skovvart 708 Date 2012 05 02 18 45 709 Message 700 7131 Revision 192 712 Author Aaes 713 Date 2012 05 02 18 45 714 Message 75 716 Revision 191 717 Author Skovvart 718 Date 2012 05 02 18 08 719 Message 720 721 Revision 190 722 Author Skovvart 723 Date 2012 05 02 18 06 724 Message 725 726 Revision 189 727 Author Aaes 722 Date 2012 05 02 17 34 729 Message 730 731 Revision 188 732 Author Skovvart 733 Date 2012 05 02 17 34 734 Message Bugfixes 735 736 Revision 187 737 Author Aaes 738 Date 2012 05 02 16 03 739 Message all dialogs should focus and appear in the right position now middle of the screen 740 741 Revision 186 742 Author Skovvart 743 Date 2012 05 02 16 03 744 Message Dispatcher thread handling 745 746 Revision 185 747 Author Aaes 748 Date 2012 05 02 15 43 749 Message 750 751 Revision 184 752 Author Skovvart 753 Date 2012 05 02 15 43 Page 9 Revision History 21 05 2012 7
4. Class 5 Sender E Methods Execute C GetPassword 7 PublicKeyExcha iS RevokeBallotCo Class E T 2I Properties SF Sender E Methods Execute RevokeBallotCo Q BallotRequestD Class 2I Properties zf Sender E Methods BallotRequestD 7 Execute T Properties EF Sender El Methods Execute 7 PromoteNewM o ShutDowntElecti Class E Properties S T Sender El Methods Execute ShutDownElecti BallotReceivedC Class r E Properties ESF Sender Methods amp BallotReceived Execute 2 Properties CS Sender El Methods EndElectionCo C Execute 60 2 BallotReceivedC Class Ld Properties El Methods BallotReceived Execute 2I Properties CSF Sender El Methods Execute amp StartElectionCo Message Struct 2I Properties ST Command fw SymmetricKey 2i Methods Message 3 Objectinvariant c ToString RequestBallotC Class r Properties TT Sender Methods Execute RequestBallotC PublicKeyWrap Class T E Methods 7 9 GetKey PublicKeyWrap CryptoCommand A Class T 2 Properties XP Sender 2i Methods CryptoCommand Execute 2 ElectNewManag Class E Properties 2 Sender E Methods ElectNewMana Exec
5. the voter id the manager is working with int managerVoter D the voter id the stationListener is working with int stationVoter D the sender of a request int sender the local data sets bool voters STATIONAMOUNT 1 VOTERAMOUNT the amount of ballots handed out to each voters int ballotsHandedOut VOTERAMOUNT the station who needs to hand out a ballot int handOutBallotFromStation 1 Ku J 83 tu C ikolaj Documents My D lor Pra PALLY tW xE Fi Rediger Vis Funktioner Indstillinger Hj lp Ranja ae p Treek ud 1 Js Projekt S1 Station voters 1 0 7 Erklaeringer SL1 StationListener voters 1 0 HS Station Manager 6 5 StationListener S2 Station voters 2 1 E SL2 StationListener voters 2 1 353 Station voters 3 2 SL3 StationListener voters 3 2 34 Station voters 4 3 SL4 StationListener voters 4 3 M Manager voters 0 List one or more processes to be composed into a system system S1 SL1 32 SL2 83 SL3 M 84 Fil Rediger Vis Help Babia AN o Navn Station Parametre bool amp voters VOTERAMOUNT intid Place local declarations here voter is the voter number of the person wanting to vote here 0 1 2 int voter 0 voterConfirmed is whether the voter has already voted in the local d bool voterConfirmed void checkVo
6. 636 Revision 207 637 Author Skovvart 638 Date 2012 05 03 13 54 639 Message Updated DiscoverNetworkMachines to use a CountdownEvent 640 641 Revision 206 642 Author Skovvart 643 Date 2012 05 03 13 26 644 Message Fixed and removed some TODO s 645 646 Revision 205 647 Author Skovvart 648 Date 2012 05 03 13 19 649 Message DiscoverNetworkMachines now waits for all threads to finish DiscoverPeers no longer checks that StationActive since DiscoverNetworkMachines does this 650 651 Revision 204 652 Author Skovvart 63 Date 2012 05 03 13 08 654 Message Optimized Send slightly 655 656 Revision 203 657 Author Aaes 658 Date 2012 05 03 12 42 659 Message 660 661 Revision 202 662 Author Aaes 663 Date 2012 05 03 12 41 664 Message 665 666 Revision 201 667 Author Aaes 668 Date 2012 05 03 12 33 669 Message Page 8 Revision History 21 05 2012 670 671 Revision 200 672 Author Aaes 673 Date 2012 05 03 12 17 674 Message 675 676 Revision 199 677 Author Skovvart 678 Date 2012 05 03 00 31 679 Message Updated cleanup for some tests 680 681 Revision 198 682 Author Skovvart 683 Date 2012 05 03 00 23 684 Message Updated some tests a lot still broken due to lack of a UI attempted changing Send to split the message into multiple packets to better be able to send large messages Sync command 685
7. Milan September 9 2008 retrieved from http www few vu nl rbakhshi papers TCSO8talk pdf on 12th March 2012 Leader Election in rings Marco Aiello Eirini Kaldeli University of Groningen 2009 retrieved from http www cs rug nl eirini DS slides leader election pdf on 12th March 2012 Attack Modeling for Information Security and Survivability Andrew P Moore Robert J Ellison Richard C Linger March 2001 retrieved from http www cert org archive pdf 01tn001 pdf on 12th March 2012 Attack Trees Modeling security threats Bruce Schneier Dr Dobb s Journal Decem ber 1999 retrieved from http www schneier com paper attacktrees ddj ft html on 12th March 2012 Creating Secure Systems through Attack Tree Modeling 10 June 2003 retrieved from http www amenaza com downloads docs 5StepAttackTree WP pdf on 12th March 2012 Improving Web Application Security Threats and Countermeasures J D Meier Alex Mackman Michael Dunner Srinath Vasireddy Ray Escamilla and Anandha Murukan Microsoft Corporation June 2003 retrieved from http msdn microsoft com en us library ff648644 aspx on 12th March 2012 Database Encryption An Overview of Contemporary Challenges and Design Considerations Erez Shmueli Ronen Vaisenberg Yuval Elovici Chanan Glezer SIGMOD Record Septem ber 2009 retrieved from http www ics uci edu ronen Site Research_files p29 surveys shmueli pdf on 12th March 2012 10 24 DBMS_CRYPTO O
8. Nicolai Skovvart nbskGitu dk 4 explanation A scanner can read a physical voter card and extract required information from it query what is the voter number from this voter card constraint Failure to read the voter card should result in an error end O 09 O Uu Page 1 Station Informal 16 05 2012 1 AWN VO Y MO QI 10 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 class chart STATION indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation A station is a client machine that communicates with its manager and provides a graphical user interface for voters to use when requesting a ballot A station can also be the manager A manager manages the various stations and handles synchronization of the data It also has elevated rights compared to a station and can for example manually mark a voter as having been handed a ballot in case he lost his voter card or the like query what is my address who is the manager Is there enough active stations in the group to continue operations What is the status of the election Who are my peers How can I manipulate my database How can I communicate with my group How can I encrypt messages How can I log messages How can the user interact with me Am I the mana
9. ballotstatus CIPHERTEXT invariant cpr void and voterNumber void and ballotstatus void end class LOGENTRY feature Message VALUE Level VALUE Timestamp INTEGER invariant Message void and Level void and Timestamp void end end end Page 2 Crypto Formal 16 05 2012 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 static diagram DIGITALVOTERLIST component cluster CRYPTO component deferred class ICRYPTO feature VoterDataEncryptionKey ASYMMETRICKEY ensure result void end SetVoterDataEncryptionKey void key ASYMMETRICKEY Keys SET ASYMMETRICKEY ensure result void end AsymmetricDecrypt BYTEARRAY C CIPHERTEXT gt k ASYMMETRICKEY require c void and k void ensure result void end AsymmetricEncrypt CIPHERTEXT gt b BYTEARRAY gt k ASYMMETRICKEY require b void and k void ensure result void end SymmetricDecrypt BYTEARRAY C CIPHERTEXT gt k SYMMETRICKEY require c void and k void ensure result void end SymmetricEncrypt CIPHERTEXT gt b BYTEARRAY gt k SYMMETRICKEY require b void and k void ensure result void end Hash BYTEARRAY gt b BYTEARRAY require b void end SetIv voi
10. implicit operat Y Objectinvariant 5 ToString FF value E Methods AsymmetricKey implicit operat Y Objectinvariant m ICrypto Interface IDisposable E Properties g wv P keys PAP VoterDataEncrypti El Methods 5 AsymmetricDecrypt 5Q AsymmetricEncrypt Q GenerateSymmetr Hash Newlv SymmetricDecrypt KeyUtil e Static Class i I I E Methods Y ToBytes i V Tokey i um aw m m m ew m m mmm P E Properties SP value El Methods CPR implicit operat Y Objectinvariant ToString PublicKeyWrap Class Y El Methods E GetKey 79 PublicKeyWrap 63 Ho CryptoContract ES El Properties may FF Keys 2 VoterDataEncry E Methods 79 AsymmetricDec i El Properties FF Value El Methods 5 implicit operat ToString VoterNumber EncryptedVoter Struct E Properties CST BallotStatus HP CPR m VoterNumber El Methods EncryptedVoter 3 Objectinvariant ToString SymmetricDecr 79 SymmetricEncr ananaooonnnaooanoonnanoonoooonnnonae Y Objectinvariant 4 ToString E Properties FF Value E Methods implicit operat 89 Objectinvariant PublicKeyExcha Class 7 E Properties CT Sender E Methods Execute 5 GetPassword 7 amp PublicKeyExcha Aegis DVL User interface DesignTimeStati Y Class gt List lt StationStatus gt
11. Date 2012 03 26 14 01 Message Updated compiled BON Revision 8 Author Skovvart Date 2012 03 26 13 58 Message Removed triplet tuple of three should do Revision 7 Author Aaes Date 2012 03 26 13 52 Message Changed informal BON Communicator Informal bon Revision 6 Author Skovvart Date 2012 03 26 13 38 Message Documentation added Revision 5 Author Skovvart Date 2012 03 26 13 34 Message Hello Aaes Revision 4 Author Skovvart Date 2012 03 26 13 33 Message Test commit Revision 3 Author Skovvart Date 2012 03 26 13 14 Message Revision 2 Author Skovvart Date 2012 03 26 12 58 Page 20 Revision History 21 05 2012 1668 1669 1670 1671 1672 1673 Message Initial source commit Revision 1 Author www data Date 2011 09 18 15 27 Message Automatically created readme textile and trunk directory we recommend you to put all your code there Page 21 17 7 BON 119 System Informal 16 05 2012 1 AUN Oo N 10 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 system_chart DVL indexing author Nikolaj Aaes niaa itu dk amp Nicolai Skovvart nbsk itu dk explanation An open source digital voter list that keeps track of who has been handed a ballot at an election with a focus on security cluster DIGITALVOTERLIST description The various elements of the digital voter
12. OR 1 Exchange the USB device 0 1 high 4 AND 1 Physically acquire the device 0 1 low 4 OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it lt Manipulate person s gt 2 lt Acquire public key used to encrypt the data gt 3 Encrypt tampered data set with public key 0 O high 5 4 Write data to own USB device 0 1 high 5 5 Give new USB device to people transporting it 0 1 low 5 2 Manipulate the data on the existing USB device 0 1 high 4 AND 1 Physically acquire the device 0 1 low 4 OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it lt Manipulate person s gt 2 Replace or manipulate 0 1 high 4 OR 1 Manipulate 0 1 high 4 AND 1 Acquire private key used to decrypt the data gt 2 lt Acquire public key used to encrypt the data gt 3 Decrypt data set 0 0 high 5 4 Manipulate data 0 O high 5 5 Encrypt tampered data set with public key 0 O high 5 6 Write data to USB device 0 1 medium 5 2 Replace 0 1 high 4 AND 1 Acquire public key used to encrypt the data gt 2 Encrypt tampered data set with public key 0 O high 5 3 Write data to USB device 0 1 medium 5 3 At the tallying location 0 1 low 4 OR 1 Be responsible for tallying 0 1 medium 1 2 Manipulate person s responsible for tallying to manipulate the data lt Manipulate person s gt 3 Manipulate the data without the person s responsible n
13. k dir dade te 12 93 01 Dilandler iecore e p EG Ek EA AA A AS ees 12 5 4 Generating voter cards e o 13 Dior Contract coverages 252 vcra a ox ges bie ure p s quen ue ea es 13 6 Data 14 6 1 Receiving and distributing data een 14 7 Synchronization and Broadcasting 17 7 1 Database management system 4 eee eee KK KI KI K K KI KI KK KK KK 19 8 Security 21 8 1 Attack model 4v ds hing uA RR yan ye l se Pol DE amp ee ed 23 5 2 Protection cR cmd EG Ed ETE Ha A ee A a 24 amp 24 Input validatio 4 4 be xy 2A 2 y e Ay iz l 25 8 22 PGP GRG and SSD Rr PEA AA A x QA Re 26 82 3 Cryptography 4 s deco ad h di s r n RR Ey aw a AE GG OS 27 8 3 Detection and recovery kk kK KK KEK KI KIRI KIRI KI KI KI KK KK KK KI KK KK 28 8 3 1 Electing a new manager KI KK KI KI KK KK KK KK ne 28 8 9 2 Hatalierrors x esa fh A PQ A A EA Pe euet rie 30 8 3 3 Tnconsist nt d t ae A lS k a lek RE 30 Sd LOS eines des we was ue edu a doo ex Riu Euseb 9 Comparison with KMD s DVL and other related work 10 User Manual and Users 11 Testing TLO L Test strategy Ll hik luci ee Me ee Bele EA a 11 0 2 Results 3 as RUE ebd uunc uu EX ETE eS 11 0 3 Known BUSS uas eS ich cedes a ka a neyar a ana 12 Future Development 12 Improvem entS coo soo SU eder EAE EGO RUP Row QVE 13 Glossary 14 Reflection 15 Conclusion 16 References 17 Appendix 1
14. 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 Date 2012 05 01 13 13 Message Revision 133 Author Skovvart Date 2012 05 01 13 07 Message Made GeneratePassword static which means it s not part of the interface Revision 132 Author Aaes Date 2012 05 01 13 04 Message renamed Overview to OverviewPage and rearranged the order of dataloadpage and masterpassword page Revision 131 Author Skovvart Date 2012 05 01 12 57 Message AllData calls ToArray so we don t get whereSelector which isn t serializable Revision 130 Author Aaes Date 2012 05 01 12 53 Message Import and export implemented in the UIHandler Revision 129 Author Aaes Date 2012 05 01 12 45 Message Corrected UIHandler to handle new export import methods Revision 128 Author Skovvart Date 2012 05 01 12 44 Message Updated to work with new signature for Import and removed Export Revision 127 Author Skovvart Date 2012 05 01 12 39 Message Removed export data can be exported through AllData changed Import to just take a dataset instead of a lambda importing the dataset Revision 126 Author Aaes Date 2012 05 01 12 30 Message Cleaned up UI classes Revision 125 Author Skovvart Date 2012 05 01 12 20 Message Made SyncCommand use primitive types updated test Potential problem with m
15. 235 Author Aaes Date 2012 05 04 13 29 Message slight optimization of the populateList methods Revision 234 Author Skovvart Date 2012 05 04 13 17 Message Catching AsnlParsingException as well Page 6 Revision History 21 05 2012 505 506 507 508 509 510 11 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 552 553 554 560 561 562 563 564 565 566 567 568 569 570 371 572 573 574 575 576 S r 578 579 580 581 582 583 584 585 Revision 233 Author Aaes Date 2012 05 04 13 14 Message inactive peers are removed from the peerlist when the overview and manageroverview lists are updated Revision 232 Author Skovvart Date 2012 05 04 13 13 Message Reduced and changed IP ranges for ITU Revision 231 Author Skovvart Date 2012 05 03 17 02 Message Logger updated to use logName instead of a fixed string Revision 230 Author Aaes Date 2012 05 03 16 45 Message all menuitems in the file menu are now disabled in the endelectionwindow Revision 229 Author Aaes Date 2012 05 03 16 40 Message you can now close the application from the files menu if you have the master password but not in the EndElectionPage Revision 228 Author Aaes Date 2012 05 03 16 29 Message a user cannot press OK in the acceptstationDialog A
16. 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 static diagram DIGITALVOTERLIST component cluster STATIONANDMANAGER component deferred class STATION feature Address IPADDRESS Manager IPADDRESS SetManager void address IPADDRESS require address void ensure Manager address end EnoughStations BOOLEAN ElectionInProgress BOOLEAN Peers SORTED_LIST IPADDRESS Database IDATABASE Communicator ICOMMUNICATOR Crypto ICRYPTO SetCrypto void gt newcrypto ICRYPTO require newcrypto void ensure Crypto newcrypto end Logger ILOGGER SetLogger void gt newlogger ILOGGER require newlogger void ensure Logger newlogger end UI IDVLUI IsManager BOOLEAN Listening BOOLEAN MasterPassword VALUE SetMasterPassword void gt password VALUE require password void and MasterPassword void ensure MasterPassword password end StationActive BOOLEAN gt address IPADDRESS require address void end DiscoverPeers SEQUENCE IPADDRESS Page 1 Station Formal 16 05 2012 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 1 19 120 121 122 123 124 ensure result void end ValidMasterPassword BOOLEAN pas
17. 51 SecureRandom class Randomly generated numbers are generally too predictable and thus insecure so a strong source of randomness is needed We trust that the implementation by Bouncy Castle is sufficiently secure 12 Usability design usable security mechanisms The system uses several different mechanisms and we have automated as many as possible We require very little of the users and the tasks the users have to perform are trivial By following these principles we got some desirable properties for our system The next thing to consider was what kind of attacks our system could be a victim of For this we used the STRIDE 8 threat categories and the corresponding countermeasures Spoofing We use strong authentication and store all the data in an encrypted fashion Tampering We use a secure communication protocol and hybrid ciphers Repudiation We use logs and digital signatures to ensure this Information disclosure We use strong encryption algorithms Denial of service We make sure that the machines are on a closed network with no access to the Internet Elevation of privilege We follow the Least Privilege principle The system must be connected to a closed network during the election only potentially con necting to the outside to import partitioned voter data prior to the election or upload exported voter data afterwards To ensure that the network is actually closed the connection must always 22 be wired and
18. At the tallying location 0 1 low 4 OR 1 Be responsible for tallying 0 1 low 1 2 Manipulate person s responsible for tallying to corrupt the data lt Manipulate person s gt 3 Corrupt the data without the person s responsible noticing 0 1 high 4 lt Digitally force access gt 5 Physically force entry and the attacker corrupting the data 0 1 low 4 Tree 3 To gain knowledge about a protected part of the election 0 1 low 4 OR 1 Get access to the digital data before it s partitioned lt Gain access to partitioning machine gt 2 Gain access to the partitioned data while it s being transported to the election venue 0 1 high 4 OR 1 Access the USB device 0 1 high 4 AND 1 Physically acquire the device 0 1 low 4 OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it lt Manipulate person s gt 2 lt Acquire private key used to decrypt the data gt 3 Decrypt and read data 0 1 high 5 3 Physically spy on the voters during the election 0 1 low 1 OR 1 Place cameras in the election booths 20 000 1 high 1 AND 1 Locate the election venue and booths 0 1 low 4 2 Acquire cameras 20 000 1 low 5 3 Gain access to the election venue lt Gain access to the election venue gt 4 Install the cameras in the election booths without anyone noticing 0 1 high 1 2 Physically be in the election booth to spy 0 1 low 1 4 Gain access to the digital data during the election 0 1 lo
19. Author Aaes Date 2012 05 15 14 36 Message Revision 322 Author Aaes Date 2012 05 15 14 24 Message when a station is promoted to the manager the amount of stations is checked Revision 321 Author Aaes Date 2012 05 15 14 16 Message Revision 320 Author Aaes Date 2012 05 15 14 06 Message changed width of shown password on waitingformanagerpage Revision 319 Author Aaes Date 2012 05 15 14 00 Message Revision 318 Author Skovvart Date 2012 05 15 13 51 Message You might have a manager if you are a manager when receiving the PublickeyExchangeCommand reply Page 1 Revision History 21 05 2012 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 158 156 157 158 159 160 161 162 163 164 165 166 167 168 Revision 317 Author Aaes Date 2012 05 15 Message Revision 316 Author Aaes Date 2012 05 15 Message dispatcher methods used in notenoughpeers and enoughpeers Revision 315 Author Aaes Date 2012 05 15 Message Revision 314 Author Aaes Date 2012 05 15 Message changed Revision 313 Author Skovvart Date 2012 05 15 Message Revision 312 Author Skovvart Date 2012 05 15 Message
20. end end Page 1 Core Datatypes Formal 16 05 2012 1 static diagram DIGITALVOTERLIST 2 component 3 cluster CORE DATA TYPES 4 component 5 class CIPHERTEXT 6 feature 7 Value BYTEARRAY 8 invariant 9 Value void 10 end Ti 12 class ASYMMETRICKEY 13 feature 14 Value ASYMMETRICKEYPARAMETER 15 invariant 16 Value void 17 end 18 19 class SYMMETRICKEY 20 feature 21 Value BYTEARRAY 22 invariant 23 Value void 24 end 25 26 class MESSAGE 27 feature 28 Iv BYTEARRAY 29 30 SymmetricKey CIPHERTEXT 31 32 Command CIPHERTEXT 33 34 SenderHash CIPHERTEXT 35 invariant 36 Iv void and SymmetricKey void and Command void and SenderHash void 37 end 38 39 class VOTERNUMBER 40 feature 41 Value INTEGER 42 ensure 43 result void and 44 result gt 0 45 end 46 end 47 48 class CPR 49 feature 50 Value INTEGER 51 ensure 52 result void and 53 result gt 0 54 end 55 end 56 57 class BALLOTSTATUS 58 feature 59 Value INTEGER 60 ensure 61 result void and Page 1 Core Datatypes Formal 16 05 2012 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 73 80 81 82 83 84 85 86 87 88 result gt 0 and result 3 0 is handed out 1 is not handed out and 2 is not available this would ideally be an ENUM end end class ENCRYPTEDVOTERDATA feature Cpr CIPHERTEXT voterNumber CIPHERTEXT
21. indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation CipherText is encrypted data query what does this CipherText look like constraint The value of the ciphertext must always be non void end class chart ASYMMETRICKEY indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation An asymmetric key can be used for either encryption or decryption of data query what does this asymmetric key look like constraint The value of an asymmetric key must always be non void end Class chart SYMMETRICKEY indexing author Nikolaj Aaes niaaQitu dk Nicolai Skovvart nbskGitu dk explanation A symmetric key can be used for either encryption or decryption of data query what does this symmetric key look like constraint The value of a symmetric key must always be non void end Class chart MESSAGE indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation A message contains the ciphertexts of a symmetric key a command encrypted with the symmetric key and a hash encrypted with the senders public key Used for secure communication query what is the initialization vector used to encrypt the command What is the CipherText of the symmetric key used to encrypt the command What is the CipherText of the encrypted command What is the CipherText of the senderhash of the command end Class char
22. 0 1 low 2 OR 1 Prevent them from receiving voter cards 0 1 low 2 2 Physically prevent them from entering election venue 0 1 low 2 5 Deleting data 0 1 low 4 OR 1 Before the election 0 1 low 4 OR 1 During partitioning lt Gain access to partitioning machine gt 2 During transportation to election venue 0 1 medium 4 OR 1 Delete data on the USB device 0 1 medium 4 AND 1 Physically acquire the device 0 1 low 4 OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it Manipulate person s gt 2 Delete the data 0 1 medium 5 3 Optional Give the USB device to people transporting it 0 1 low 5 3 On manager machine before election has started 0 1 medium 4 AND 1 Gain access to the manager machine 0 1 low 4 OR 1 Be the election official s 0 1 medium 1 2 Force access 0 1 low 4 OR 1 Physically force access 0 1 low 4 2 Digitally force access Digitally force access 3 Force an insider to grant access Manipulate person s gt 2 Delete the data 0 1 medium 5 2 During the election 0 1 high 2 OR 1 Delete the database on all the machines 0 1 high 2 AND 1 Gain access to all machines 0 1 low 4 OR 1 Physically force access 0 1 low 4 2 Digitally force access Digitally force access 2 Delete the database 0 1 high 2 3 After the election 0 1 low 4 OR 1 Before being exported 0 1 high 2 AND 1 Gain access to the manager machine 0 1 low 4 O
23. 02 16 24 Message Cryptotests added Some are not passing Revision 64 Author Skovvart Date 2012 04 02 15 56 Message Updated with latest tests Revision 63 Author Skovvart Date 2012 04 02 14 33 Message Initial layout of tests added Revision 62 Author Skovvart Date 2012 04 02 14 19 Message Fixed type error in station worked a bit on communicator tests Revision 61 Author Skovvart Date 2012 04 02 13 55 Message Communicator made public added regions to station started unit tests Revision 60 Author Skovvart Date 2012 04 02 13 44 Message Revision 59 Author Aaes Date 2012 04 02 12 53 Message Revision 58 Author Skovvart Date 2012 04 02 12 52 Message Small updates Revision 57 Author Skovvart Date 2012 04 02 12 50 Message Updated I Communicator Revision 56 Author Aaes Date 2012 04 02 12 50 Message Revision 55 Author Aaes Date 2012 04 02 12 50 Message included a getParent Revision 54 Author Skovvart Date 2012 04 02 12 27 Message compilebon txt updated to new names Revision 53 Author Aaes Date 2012 04 01 22 55 Message Page 17 Revision History 21 05 2012 1414 145 Revision 52 1416 Author Aaes 1417 Date 2012 04 01 22 54 148 Message 1419 1420 Revision 51 1421 Author Aaes 1422 Date 2012 04 01 22 53 1423 Message new UI images concepts 14244 1425 Revision 50 1426 Author Skovvart 1427 Da
24. 05 2012 338 Date 2012 05 08 14 54 339 Message PDF generator changed test data 340 341 Revision 266 342 Author Skovvart 343 Date 2012 05 07 16 45 344 Message Fixed some tests removed Printer since it probably shouldn t be a part of the solution 345 346 Revision 265 347 Author Aaes 348 Date 2012 05 07 13 01 349 Message 350 351 Revision 264 352 Author Skovvart 353 Date 2012 05 07 12 53 354 Message ForEach should not use a local collection so it wont accidentally be modified during execution 355 356 Revision 263 357 Author Aaes 358 Date 2012 05 04 16 58 359 Message 360 361 Revision 262 362 Author Skovvart 363 Date 2012 05 04 16 55 364 Message PromoteNewManager should not update the target UI 365 366 Revision 261 367 Author Aaes 368 Date 2012 05 04 16 48 369 Message 370 371 Revision 260 372 Author Aaes 373 Date 2012 05 04 16 27 374 Message 375 376 Revision 259 377 Author Skovvart 378 Date 2012 05 04 16 19 379 Message ElectNewManager now notifies the UI if the new manager is itself 380 381 Revision 258 382 Author Aaes 383 Date 2012 05 04 16 19 384 Message 385 386 Revision 257 387 Author Aaes 388 Date 2012 05 04 16 18 389 Message now a station can become a manager UI wise 390 3931 Revision 256 392 Author Aaes 393 Date 2012 05 04 16 09 394 Message 395 39 Revision
25. 12 45 Message PKExchangecmd updated to be UI ready Revision 161 Author Aaes Date 2012 05 02 12 45 Message Now the Done and Only CPR buttons will only be enabled when the sufficient amount of characters are present Revision 160 Author Aaes Date 2012 05 02 12 30 Message added checks for empty CPR and voter number textboxes Revision 159 Author Aaes Date 2012 05 02 12 24 Message When you request a ballot there is now a check for whether the voter exists have voted Revision 158 Author Aaes Date 2012 05 02 12 19 Message Revision 157 Author Skovvart Date 2012 05 01 22 03 Message Updated most tests to work with the new station constructors Revision 156 Author Skovvart Date 2012 05 01 17 57 Message Increased the buffersize so it can now actually load the data set from disk Revision 155 Author Skovvart Date 2012 05 01 17 49 Message Updated small dataset in dropbox updated EncryptedvoterData to no longer use a tuple as it was giving serilization issues updated UIHandlers import somewhat Revision 154 Author Skovvart Date 2012 05 01 16 37 Message UI now handles Log sqlite properly Revision 153 Author Aaes Date 2012 05 01 16 15 Message Revision 152 Author Aaes Date 2012 05 01 16 09 Message the back button on the MasterPassword page now goes to a typechoicepage instead of a dataload page Revision 151 Author Aaes Date 2012 05 01 16 05 Message the
26. 2012 03 28 14 59 1478 Message Updated Crypto and ICrypto to require the use of initilization vectors for symmetric encryption Updated documentation to come 1479 1480 Revision 39 1480 Author Skovvart 1482 Date 2012 03 28 14 44 148 Message Crypto mostly implemented with some TODO notes in comments 1484 1485 Revision 38 1486 Author Skovvart 1487 Date 2012 03 28 14 06 1488 Message Commented and renamed some utility classes 1489 1490 Revision 37 1491 Author Skovvart 1492 Date 2012 03 28 13 50 1493 Message Crypto documentation updated 144 1495 Revision 36 1496 Author Skovvart 1497 Date 2012 03 28 13 46 Page 18 Revision History 21 05 2012 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 2517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1531 1552 1553 1554 15585 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 ISAL 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 Message ICrypto updated Revision 35 Author Skovvart Date 2012 03 28 13 09 Message Added utility functions Revision 34 Author Skovvart Date 2012 03 28 13 04 Message Skovvart s OCD was satisfied Revision 33 Author
27. Author Aaes Date 2012 05 03 16 02 Message Page 7 Revision History 21 05 2012 586 Revision 217 587 Author Aaes 588 Date 2012 05 03 16 02 589 Message The passwords shown at connect are not shown in dialogs anymore 590 591 Revision 216 592 Author Skovvart 593 Date 2012 05 03 15 03 594 Message EndElectionCommand now notifies UI 595 596 Revision 215 597 Author Aaes 598 Date 2012 05 03 14 59 599 Message 60 60 Revision 214 602 Author Aaes 603 Date 2012 05 03 14 59 604 Message fixed showpasswordonmanager 605 606 Revision 213 607 Author Aaes 608 Date 2012 05 03 14 47 609 Message ElectionStarted and ElectionEnded should now work 60 611 Revision 212 612 Author Skovvart 613 Date 2012 05 03 14 43 614 Message Generated password length decreased to 2 for testing purposes 615 616 Revision 211 617 Author Aaes 618 Date 2012 05 03 14 43 619 Message end election cancel works and the ballotRequestPage constructor is fixed 620 621 Revision 210 622 Author Skovvart 63 Date 2012 05 03 14 38 624 Message StartElectionCommand notifies the UI 65 626 Revision 209 627 Author Skovvart 628 Date 2012 05 03 14 29 629 Message Logger not controls the backup of older logs instead of the UI 60 631 Revision 208 632 Author Aaes 63 Date 2012 05 03 14 10 634 Message The right dispacther now opens a dialog 635
28. Class 1 Static Class i Class A J EntityObjet O O O x X b at a PublicKeyExcha Y PublicKeyWrap RemovePeerCo Y RequestBallotC Y Class Class Class Class Q Q O Q e Q 9 RequestBallotC Y RevokeBallotCo v RevokeBallotCP Y ShutDowntlecti SqliteDatabase Y StartllectionCo Y Station E Class Class Class Class Class Class Class X O ed P E SyncCommand y TheOnlyException Y Voter E Class Class Class gt Exception gt EntityObjec Key CipherText E CPR E EncryptedVoter Y LogEntry y Message E SymmetricKey E Struct Struct Struct Struct Struct Struct Struct VoterNumber E Struct ICommand E ICommunicator ICrypto E IDatabase E IDvlUi E Logger 163 IScanner E Interface Interface Interface Interface Interface Interface Interface gt IDisposable gt IDisposable gt IDisposable BallotStatus E Level E Enum Enum 59 Aegis DVL Commands and Communication Class E Properties FF Parent E Methods Communicator DiscoverNetwo IsListening ReceiveAndHan Class 2 Properties i DiscoverNetwo i IsListening i ReceiveAndHan 3 Send i Properties EF Sender El Methods 79 Execute RevokeBallotCP EF Sender E Properties El Methods El Methods CF Sender 7 Execute amp Execute E Methods SyncCommand IsAliveCommand AddPeerComm o Execute PromoteNewMa
29. Give the USB device to people transporting it 0 1 low 5 3 On manager machine before election has started 0 1 high 4 AND 1 Gain access to the manager machine 0 1 low 4 OR 1 Be the election official s 0 1 medium 1 2 Force access 0 1 low 4 OR 1 Physically force access 0 1 low 4 2 Digitally force access Digitally force access 3 Force an insider to grant access Manipulate person s gt 2 Corrupt the data 0 1 high 5 2 During the election 0 1 high 4 OR 1 Corrupt the database on all the machines 0 1 high 4 AND 1 Gain access to all machines 0 1 low 4 OR 1 Physically force access 0 1 low 4 2 Digitally force access Digitally force access 2 Corrupt the data 0 1 high 5 3 After the election 0 1 low 4 OR 1 Before being exported 0 1 high 4 AND 1 Gain access to the manager machine 0 1 low 4 OR 1 Be the election official s 0 1 low 1 2 Force access 0 1 low 4 OR 1 Physically force access 0 1 low 4 2 Digitally force access Digitally force access 3 Force an insider to grant access Manipulate person s gt 2 Corrupt the data 0 1 high 5 2 During transportation 0 1 low 4 OR 1 Corrupt the USB device 0 1 low 4 AND 1 Physically acquire the device OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it lt Manipulate person s gt 2 Corrupt the data 0 1 high 5 3 Optional Give the USB device to people transporting it 0 1 low 5 3
30. IsActive Sender then if Check then UpdateSender true sends a command to the sender telling it to update its database and tell the voter he can receive a ballot else UpdateSender false sends a command to the sender telling it not to update its database and tell the voter he can not receive a ballot 10 end if 11 else 12 RevokeBallot V oter NumberC PR revokes the ballot status on all the other stations 13 end if i NUS m o 9 To ensure that our algorithm works as expected we used the model checking tool UPPAAL 28 By using this tool we were able to verify that our synchronization algorithm updates all the machines when a ballot is handed out and that each voter can only be handed one ballot Screenshots from the verification can be found in appendix 17 4 UPPAAL We considered the fact that if an election venue has a large amount of stations the manager might get a message implosion where too many messages are to be handled at the same time Implementing a queue system on the manager side of the communication layer should be sufficient to handle the inbound messages If this was a greater concern Schooler s suppression algorithm 25 would be a viable way to avoid this problem 7 1 Database management system To manage the data on each machine our system uses a database management system DBMS We have made it easy to exchange this DBMS with another one by defining an interface for the database layer If one were t
31. Skovvart Date 2012 03 28 12 46 Message Finished IDatabase BON implementation Revision 32 Author Aaes Date 2012 03 27 16 46 Message Core cs now have contracts and BON documentation Revision 31 Author Skovvart Date 2012 03 27 16 18 Message IDatabase done for now needs to add the invariant when Station is more complete Revision 30 Author Skovvart Date 2012 03 27 16 04 Message Recompiled information documentation Revision 29 Author Skovvart Date 2012 03 27 15 50 Message Re ignoring suo Revision 28 Author Skovvart Date 2012 03 27 15 50 Message Updated BouncyCastle Crypto dll reference Revision 27 Author Aaes Date 2012 03 27 15 45 Message Revision 26 Author Skovvart Date 2012 03 27 15 44 Message IDatabase formatted BON slightly updated Revision 25 Author Aaes Date 2012 03 27 15 37 Message wrongly names vars in the BON Revision 24 Author Aaes Date 2012 03 27 15 37 Message added documentation and BON methods to the ICrypto class the old ones are still in there Revision 23 Author Aaes Date 2012 03 27 15 20 Message added documentation and contracts for IPrinter and IScanner Revision 22 Author Aaes Date 2012 03 27 14 19 Message second edition of formal BON Revision 21 Author Aaes Date 2012 03 27 14 14 Message first edition of formal BON Revision 20 Author Skovvart Date 2012 03 27 12 29 Message Fixed Command Formal bo
32. Skovvart Date 2012 05 01 15 29 Message Added App Config to allow mixed assembly though we don t know what mixed assembly this is File Exists Revision 141 Author Aaes Date 2012 05 01 15 28 Message when a station goes back the station object is disposed Revision 140 Author Aaes Date 2012 05 01 15 10 Message Revision 139 Author Skovvart Date 2012 05 01 14 19 Message Removed a and updated some constructors Updated other files where necessary Revision 138 Author Skovvart Date 2012 05 01 14 09 Message Made tests compilable again Made many tests use using Revision 137 Author Aaes Date 2012 05 01 13 25 Message The master password is stored from the MasterPasswordPage to the DataLoadPage in order to correctly initialize the station it is set to null afterwards Revision 136 Author Aaes Date 2012 05 01 13 21 Message comments and finalizing of IUIHandler Revision 135 Author Skovvart Date 2012 05 01 13 16 Message Broke tests to make them compile while making the code more ready for release Fix tests later Revision 134 Author Aaes Page 12 Revision History 21 05 2012 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052
33. The system developed by KMD has the option to print replacement voter cards While it is nice for the voters to have something tangible when they vote we do not see the use of being able to print additional voter cards If a voter arrives without his voter card he should be able to identify himself and then be able to vote once his identity has been confirmed There is no need for him to receive a voter card just to use it quickly thereafter The system developed by KMD requires each machine to disable its firewall screen saver antivirus and hibernation mode It also requires that the screen resolu tion is 1024x768 and that the PC name is static Our system does not require any of these things which seem unnecessary and very imprac tical for the person assigned to set up the system Disabling the firewall and antivirus will actually lower the security in the event that an unknown attacker enters the network The system developed by KMD is designed to be set up the day before the election This seems like a great idea from a practical standpoint The person assigned with the set up can do so undisturbed and test the system in advance The downside is the potential that someone can tamper with the system overnight The KMD manuals 36 37 38 does not specify anything about the election venue and it would be possible to enter the venue unnoticed and tamper with the machines before the election started We assessed that the security risk overruled the
34. between the different machines Every message sent over 21 the network is validated and if the message is not accepted the election will switch to a paper based approach since the sender is regarded as compromised 7 Secure fail safe defaults the system should start and return to a secure state in the event of a failure We use several detection mechanisms to catch failures and handle them See section 8 3 Detection and recovery 8 Complete mediation access to any object must be monitored and controlled By using code contracts and rigid logging we monitor all access to the data To control access to the system we only accept incoming net traffic in a certain format and to control the access to the data we use our database layer which can only be accessed through the application 9 No single point of failure build redundant security mechanisms whenever feasi ble We do not want any machine to be a single point of failure and by having all the data distributed to all the machines we can handle the crash of any machine If the manager machine should crash the stations can elect a new manager and continue with the election 10 Traceability log security relevant system events We store logs locally on each machine encrypted with the master password ensuring that the log is accessible even after a system crash 11 Generating secrets maximise the entropy of secrets All of our generated secrets are created using Bouncy Castle s
35. but Nothing happens Yes None ton with a station you are not connected to selected in the Man agerOverviewPage 64 Press the Tilf j but a password appears on Yes None ton with a station you are not connected to selected in the Man agerOverviewPage the screen and a prompt to type in this password appears on the station 57 65 A station replies to your a prompt appears on No the station is never redi request to add it in the your screen and if you rected to the BallotRe ManagerOverviewPage type in the correct pass questPage word the station ap pears as connected in the list The station is redirected to the Bal lotRequestPage 66 Press the Fjern button The station appears as No while it is removed it with a station you are not connected in the list appears in the list as not connected to selected in connected only after the the ManagerOverview list has been updated Page 67 Press the G r til Man Nothing happens Yes None ager button while noth ing is selected in the ManagerOverviewPage 68 Press the Ger til Man Nothing happens No The station never gets ager button while a sta promoted but the man tion you are not con ager gets demoted to a nected to is selected in station the ManagerOverview Page 69 Press the G r til Man the manager gets de Yes None ager button while a sta moted to at station and tion you are connecte
36. code contracts Coverage results Total coverage AOS 51 E fe Group by A Coverage tree has excluded nodes Show all nodes Symbol Coverage Covered Total Stmts SNE Aegis DVL 1388 1435 E Aegis DVL Communication 121 131 Aegis_DVL Commands 349 372 Aegis DV ES 334 345 Aegis DVL Database HEEE 117 119 Aegis_DVL Logging 20 1000 53 53 Aegis DVL Cryptography EO 55 5 G Aegis_DVL Util HERHEM 127 127 Aegis_DVL Data_Types OO 192 192 59 72 of the user interface blackbox tests passed To view the tests in detail see appendix 17 1 User interface tests Most of these bugs are insignificant and can be easily repaired They do not interrupt the normal workflow but are more of an inconvenience to the users However they should still be fixed before making the application publicly available since some of the bugs will crash the program completely 11 0 3 Known bugs Our testing revealed some bugs listed here 38 Known bugs Bug Severity A station will never know it has been removed from the group only the manager and all other stations will Major When you add a station in the ManagerOverviewPage it gets connected but the election never starts as it is busy receiving the SyncCommand Major Random IOExceptions Unable to read data from the transport connection An existing connection was forcibly closed by the remote host Major You ca
37. filled For the user interface to be able to mark the correct station as not connected when the Fjern button is pressed in the OverviewPage and ManagerOverviewPage instead of populating the entire list again Construct a user interface for generating voter cards Make the AcceptManagerDialog AcceptStationDialog and CheckMasterPasswordDi alog focus the text box 42 Chapter 13 Glossary Election venue One of the venues where the election is held Each venue has it own set of machines and election personnel Station A machine where voters can scan or type in their voter numbers and CPR numbers and are handed a ballot if they are eligible Manager A machine that manages the stations in the network The manager machine can add or remove stations from the network during the election The election data is imported and exported from the manager machine The manager machine is also responsible for starting and ending the election at the appropriate times Voter A person eligible for voting Voter card Each voter receives a voter card prior to the election The voter card contain the voter number name and election venue of the voter and is used to verify whether the voter is eligible to vote at a specific venue When the voter wants to vote he has to present the voter card to receive a ballot Voter number A unique number identifying a specific voter during an election Ballot When a voter has been verified as eligibl
38. is at the time of the breakdown and continue the election by marking the voters manually With this system there is a slight problem because the data sets are encrypted during the entire election and the decryption key is held by an entity that is not present in the election venue While it would be possible to transport the entity to the election venue to decrypt the data set it could be very time consuming Another option that lends itself to this system in a better way would be to export the already collected data to a portable medium and continue by marking the remaining voters manually This approach presents the problem of merging the exported data with the manually collected data after the election which can be prone to errors and can be time consuming If the system is the victim of an attack the two solutions above are not sufficient since the printed or exported data set might be compromised Essentially the gathered data can not be trusted and must be disregarded While it is still possible to switch to marking the voters manually the digitally gathered data is lost and can not be merged with the manual markings later The only viable approach would be to have the voters vote again 8 3 3 Inconsistent data While this system does everything it can to make an election run as smoothly as possible we must not overlook a scenario where the data sets on the stations and the manager is inconsistent after the election has ended The system ca
39. list system Cluster COREDATATYPES description Core datatypes used by the digital voter list system end cluster chart DIGITALVOTERLIST indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation The various elements of the digital voter list system class STATION description A station is a client machine that communicates with its manager and provides a graphical user interface for voters to use when requesting a ballot A station can also be the manager A manager manages the various stations and handles synchronization of the data It also has elevated rights compared to a station and can for example manually mark a voter as having been handed a ballot Cin case he lost his voter card or the like Class SCANNER description A scanner can read a physical voter card and extract required information from it Class COMMUNICATOR description A communicator is responsible for securely passing commands between two parties class CRYPTO description Crypto is responsible for cryptographic functions such as public key encryption Class DATABASE description The database layer is responsible for communicating with the database create read update write It can also perform batch operations such as importing and exporting the database class COMMAND description A command is sent over the network and can be executed at the destination Class LOGGER description A log is used to track events i
40. occur if the station starting the election happens to have the highest identifier If we used the Hirschberg Sinclair algorithm the best case scenario would be for every node to have their tokens discarded in the first wave except the node with the highest identifier this would happen in an ordered ring but it would still have a O n complexity We assume that it is unlikely for multiple machines to fail at once and thus the election of a new manager should run in constant time using our algorithm If every machine in the net work should crash it is more likely that we face an attack than a common error If we consider the Franklin algorithm the chance of choosing the right starting node is too low and for the Hirschberg Sinclair algorithm the complexity is too high We assume that each election venue has at most 25 machines and that the election of a new manager is not something that happens frequently Considering that there is a relatively small amount of machines the choice of election algorithm is not very important since the speed of the algorithm is unlikely to be noticeable 29 8 3 2 Fatal errors If the system should experience an attack or a major hardware error during the election the need to switch to a paper based approach arises Dependant on the situation different options present themselves If several computers break down and the amount of operational computers left is not enough an option would be to print the data as it
41. of the principles discussed in this paper could be relevant Construct an easy way for users to access the log and filter it 41 Be able to adjust the IP range and timeout for the DiscoverNetworkMachines method in Station from the user interface Make an installer that installs SQLite and a PDF reader such as Adobe acrobat reader along with the application Modify the logging system to implement distributed logs instead of locally stored logs Modify the application in such a way that it would run as a service and require administrator rights to close Create a possibility to test the system before the election starts Potentially done via a test voter Implement a message queue system in the manager communication layer e User Interface Make sure that scanned voter number will be entered in the right text box regardless of focus For the user interface to be able to populate the lists of station in the OverviewPage and ManagerOverviewPage automatically and update it every ten seconds Remove the Opdater buttons on the OverviewPage and ManagerOverviewPage Make the Tilf j Fjern and Ger til Manager buttons in the OverviewPage and ManagerOverviewPage inactive when nothing is selected instead of the current solu tion when nothing happens when they are pressed Bind the Enter key to the correct button in the ManagerOverviewPage dependant on which text boxes were
42. repairable we identified five major bugs These bugs interrupts the normal workflow when using the application and must be fixed before using the application in a real world environment 40 Chapter 12 Future Development When we started this project we were aware that gaining access to the government databases in Denmark was something that we did not want to pursue We aimed to develop a system where another developer could easily adapt it to fit new database structures and communication method To promote modularity and make it easy to exchange one part of the system without affecting other parts we made the following interfaces e ICommunicator e ICommand ICrypto e IDatabase IScanner e IDvlUi e ILogger We also wanted to make a logging system where we logged as much information as possible It could seem to be hard to find the information you are searching for but with modern log analysis tools this can be achieved without too much of a hassle We would rather log too much information and have future developers filter it than log too little and force them to insert their own log statements all over the code 12 1 Improvements As a starting point for future development we have made a list of improvements would like to have done ourselves were we given more time e System For the system to be able to support letter votes prior to the election This might ben efit from having its own project and application but many
43. requests the manager machine to synchronize all the other machines with a certain update set e Broadcast A station broadcasts an update set to all other machines e Epidemic station utilizes an epidemic protocol to update all other machines This synchronization can be initialized at different times during the election e On action After every action a voter scans a voter card on a station a synchronization is initialized e Interval At a certain time interval a system wide synchronization is initialized e Key points At certain key points eg after 100 voter cards have been scanned a system wide synchronization is initialized We have chosen a combination of Request Synchronize and On action By using the manager as a mediator when an update is to be propagated to the machines in the network we obtain a simpler communication channel which is easier to reason about and test We chose On action updates because we want the updates to happen every time a voter has been handed a ballot to ensure that if a machine crashes its data is not lost We realize that this generates a large amount of messages but it satisfies our condition that every machine must have the full data set all the time as described in section 6 1 Receiving and distributing data Once again there are several ways we can do this Our own algorithm with this approach an update message is sent from a station to the manager every time a voter requ
44. tests The unit tests were only written for the Aegis DVL system and not the user interface The user interface was black box tested We consider white box unit testing testing to be a more reliable way of testing but also more time consuming We could have unit tested some of the user interface but other parts of it would be problematic Ultimately as the user interface is only meant for demonstration purposes we decided only to black box test it 11 0 2 Results Test results 37 b 50 wv 50 eo 0 0 O Y El Tests 50 tests 1 00 994 Success GW Tests 50 tests 1 00 994 Success E NP CommandsTests 10 tests 0 26 635 Success GH W CommunicatorTests 5 tests 0 17 882 Success EE W CryptoTests 5 tests 0 05 219 Success H VP DatabaseTests 2 fests 0 02 457 Success GH VP DataTypesTests 9 tests 0 01 164 Success H VP LoggingTests 1 test 0 01 033 Success H Y StationTests 14 tests 0 06 247 Success H VP UtilTests 4 fests 0 00 356 Success The coverage results exclude parts of the system It excludes some of the generated Entity Framework code as we have not written it nor used it beyond what was covered We ve also excluded some Finalize methods that were not being run due to IDisposable being implemented The Finalize methods were not written by us either Some of the code was wrongfully marked as not being covered due to reasons unknown This mostly covered lambda expressions in
45. that this voter can now be handed a ballot e Eksporter data opens a dialog where you choose where to export the voter data After you have chosen a destination you are asked to enter the master password When this is done successfully the data is exported to the chosen location and the election continues e Afslut asks you to enter the master password If entered correctly the application closes e Bruger manual opens a PDF file containing this user manual If the manager machine should lose the connection to the network or lose power the remain ing stations automatically elects one of the stations as the new manager and the user interface reflects it If the election should be a victim of an attack the detection triggers a shutdown of the entire election This means this dialog appears on all machines 77 e Valget er blevet udsat for et potentielt angreb og lukkes ned When OK is pressed the application closes 17 4 UPPAAL en Y C Users Nikolaj Documents My Dropbox Bachelor Project Bachelor UPPALLxml UPPAAL Fil Rediger Vis Funktioner Indstillinger Hj lp Banja ae lo El x voter t voters O0 v imply forall c chan t voters c v E lt gt forall v voter t voters 0 v imply forall c chan t voters c v A forall v voter t ballotsHandedOut v imply forall c chan t voters 0 v A forall v voter t ballotsHandedOut v 1 Foresp rgsel Al
46. ways each with its own advantages and disadvantages Every machine has the full data set all the time This solution has the advantage of being the most robust because the data is not lost if a machine crashes since all the other machines will have a full backup of all the data The disadvantages are that the network traffic required to makes sure that the data set is up to date on all the machines is quite high compared to the other solutions Also if an adversary was to gain access to any machine he would have access to the full data set which leaves him with a larger attack surface Every station has a partition of the data set and the management machine has either no data set the full data set or a backup partition based on some criteria This solution uses less network traffic since it only needs to synchronize the station with the relevant part of the data Also this solution leaves less options for adversaries to gain access to the full data set since each machine only has a partition The disadvantages is that the solution is very prone to adversaries that seek to destroy the election If even a single machine crashes its entire data set is lost This can be circumvented by having a backup of the full data set stored on the manager machine which will increase network traffic but provide a full data set which increases the attack surface Every station has two or more partitions of the data set one partition belonging to the station i
47. 255 39 Author Aaes 398 Date 2012 05 04 16 04 399 Message 400 401 Revision 254 402 Author Aaes 403 Date 2012 05 04 15 59 404 Message markAsConnected should work as intended 405 406 Revision 253 407 Author Aaes 408 Date 2012 05 04 15 51 409 Message 40 411 Revision 252 412 Author Aaes 413 Date 2012 05 04 15 50 414 Message now only one update thread will be active at a time and it will be aborted when you leave the window 415 416 Revision 251 417 Author Aaes 418 Date 2012 05 04 15 35 419 Message 420 421 Revision 250 422 Author Aaes Page 5 Revision History 21 05 2012 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 Date 2012 05 04 15 30 Message Revision 249 Author Aaes Date 2012 05 04 15 22 Message the ballot response dialogs will have a MessageBoxImage Stop if the response was false Revision 248 Author Aaes Date 2012 05 04 15 12 Message fixed ballotrequestreply to use the right dispatcher Revision 247 Author Aaes Date 2012 05 04 15 04 Message Loading bar for updating
48. 54 155 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 MEL 772 773 774 775 776 TIF 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 Message Revision 183 Author Aaes Date 2012 05 02 Message now the Revision 182 Author Skovvart Date 2012 05 02 Message Revision 181 Author Skovvart Date 2012 05 02 Message Revision 180 Author Skovvart Date 2012 05 02 Message Revision 179 Author Skovvart Date 2012 05 02 15 31 dialogs showing passwords are not modal anymore 15 27 15 16 15 14 15 12 Message Test code Revision 178 Author Aaes Date 2012 05 02 15 02 Message comments in UiHandler Revision 177 Author Skovvart Date 2012 05 02 15 01 Message Listener loop added Revision 176 Author Aaes Date 2012 05 02 Message Revision 175 Author Skovvart Date 2012 05 02 14 46 14 44 Message New constructors taking IDvlUi Revision 174 Author Skovvart Date 2012 05 02 14 35 Message OCD reformatting Revision 173 Author Aaes Date 2012 05 02 14 33 Message added commments to IDvlUi Revision 172 Author Skovvart Date 2012 05 02 13 55 Message Moved UI interface to proper sol
49. 6 1157 1158 1159 1160 1161 1162 1163 1164 Date 2012 04 27 10 23 Message Reformatted and renamed some things Don t hate Aaes CO Revision 117 Author Skovvart Date 2012 04 27 10 12 Message Added synccommand untested updated publickeyexchange slightly added bouncycastle to ui assembly Revision 116 Author Aaes Date 2012 04 25 15 33 Message Added a way for every machine to mark a voter only via CPR and masterpassword Revision 115 Author Skovvart Date 2012 04 25 15 23 Message Serializable p den nye command Revision 114 Author Skovvart Date 2012 04 25 15 19 Message RequestBallot CPR masterpassword added to station Master password hash is saved to Master pw SO it persists even when program terminates Revision 113 Author Aaes Date 2012 04 24 16 51 Message To request a ballot using only the CPR the masterpassword is required Revision 112 Author Skovvart Date 2012 04 24 16 51 Message Added CPR masterPassword access to the database Revision 111 Author Aaes Date 2012 04 24 16 43 Message It is possible to export the data from the files menu Revision 110 Author Aaes Date 2012 04 24 16 29 Message The population of the lists in manageroverviewpage and in overview is optimized Revision 109 Author Skovvart Date 2012 04 24 16 22 Message Implemented masterpassword in station not commands etc Revision 108 Author Aaes Date 2012 04 24 16 04 Mess
50. 7 1 User interface tests 17 2 Class diagrams ye n tope mr Sh a h k o d Wc ar n Veg ed ed A RR UR u bwa TR Tts User manual ii os LER a da cj db ERE de lt L E eue q ri ae darl dL ss kr ATUPPANLI 23 hb true N NNN MM de n ce UR UY EU VR BE AT Am RS Ta O AULACE ACES a Ot ees A A E CHE PISO Pod PE e 17 6 Revision historia eer eerte Boo QO e Au z n V yan RO TES RUE RE VE eie A Whit BON rx out ue REP Peu Spe use fete cfe 32 35 37 37 37 38 41 41 43 44 45 Chapter 1 Introduction Voting in Denmark is a paper based process prone to errors and it requires many resources This paper describes the Aegis Digital Voter List system Aegis DVL designed to replace the current paper based approach of validating voters based on their voter cards with a software solution The system handles sensitive data and needs to be resistant to malicious attacks and tampering The paper discusses how network information is secured how crashes are handled how the data is distributed and other relevant topics related to the system 1 1 Problem definition KMD developed a proprietary system used to generate and check voter cards It provides little transparency and it can be hard to trust that it is secure since the security can not be verified by the public Is it possible to develop a transparent and secure alternative to KMD s solution The goal of this project is to design and develop an open so
51. 87 Author Aaes Date 2012 04 17 13 08 Message added logging class not finished and additional UI windows Revision 86 Author Skovvart Date 2012 04 16 16 45 Message Updated tests changed a lot of command comparisons to use Equals rather than Revision 85 Author Aaes Page 15 Revision History 21 05 2012 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 Date 2012 04 15 18 28 Message Added logger and ILogger class updated the BON to reflect it Revision 84 Author Skovvart Date 2012 04 12 15 14 Message Fixed some tests restructured part of the Database namespace Revision 83 Author Aaes Date 2012 04 11 15 39 Message Added PDFGenerator Revision 82 Author Skovvart Date 2012 04 11 15 35 Message Removed some TODO s Revision 81 Author Skovvart Date 2012 04 11 15 11 Message Fixed test Revision 80 Author Skovvart Date 2012 04 11 15 09 Message Tests updated some equality checking fixed Revision 79 Author Skovvart Date 2012 04 11 13 57 M
52. Bachelor project Aegis Digital Voter List Nikolaj Aaes and Nicolai Skovvart IT University of Copenhagen Supervisor Joseph Kiniry May 22 2012 Abstract Securing modern e voting systems is a very challenging task This paper describes an attempt to implement a secure digital system that could assist the current Danish voter card to ballot exchange protocol The current approach is paper based and we have developed a digital solu tion with a strong focus on securing the data using encryption The paper also discusses the different protocols for how election data is handled transported and who interacts with it We identify different kinds of attacks the system could be susceptible to and present what kinds of countermeasures we have implemented to prevent any malicious behaviour from both outside and inside adversaries Contents 1 Introduction 4 LET Problem definition sa 3 i 2 a2 a a Gi u E Se eae he ge Gees 4 2 Scope 5 3 Assumptions 7 4 Requirements and Goals 8 5 Design and Architecture 10 bib OVERVIEW a BES epos xe ede PAS RIEN WE 10 0 2 Desin e used aru voee Emm desee pb ee dede ue re eR eeu 11 5 9 The main classes i x tn e om uomo LIS ER IR ILLIS a a a RU 11 Dr o A E A 11 5 23 25 LINDO ts a t dtm an queo QA ee E oS 12 91315 Communicator 4 3 eae A S AA RE RUE B e 12 334 SqLmeDatabasew e e 41s ah o W n r hele b pU bp SR eS 12 93 0 JLOggero sas de Rae ede RR Rn a RUP ka ate A LUN E ha
53. ElectioninProgress end Page 3 Station Formal 16 05 2012 184 invariant 185 Address void and Peers void 186 end 187 end 188 end Page 4 UI Formal 16 05 2012 O N 6 QI d uU N pp NNNNNNAR RR RR RR RR QES Q NE 9 N IK Q NE O static diagram DIGITALVOTERLIST component cluster UI component deferred class IUI feature ManagerExchangingKey STRING ip IPADDRESS StationExchangingKey STRING ip IPADDRESS ShowPasswordOnManager void pswd STRING ShowPasswordonStation void gt pswd STRING BallotRequestReply void gt hand0utBallot BOOLEAN ElectionEnded void ElectionStarted void IsNowManager void ShutDown void NotEnoughPeers void EnoughPeers void end end end Page 1
54. ExportData GeneratePassw GetPeerlist ImportData ImportElection IsMasterPWCor IsNowManager IsStationActive MakeManager ManagerAnnou ManagerExcha MarkAsConnec NotEnoughPeers RemoveStation RequestBallot RequestBallotO ShowPassword ShowPassword Shutdown StationExchang UiHandler Page i Methods Y BackButtonClick DataloadPage Y FileBrowseButt Y KeyBrowseButt Y NextButtonClick AddButtonClick BackButtonClick IncomingReply MarkAsConnec OverviewPage PopulateList PopulateListThr RefreshButtonC RemoveButton SetPasswordLa StartEndElectio ManagerOvervi Class gt Page T El Methods 3 AddButtonClick BallotResponse CheckValidityB CPRNumberTex EndElectionButt IncomingReply IsNumeric MakeManagerB ManagerOvervi MarkAsConnec OnlyCprButton PastingHandler PopulateList PopulateListThr PreviewTextinp RefreshButtonC RemoveButton SetPasswordLa UI Commands Back end Tests 17 3 User manual Installation 1 Before the election a manager machine should be placed away from the voters and all the station machines should be placed so that they are accessible to the voters Install the ADO NET 2 0 Provider for SQLite link http sourceforge net projects sqlite dotnet2 on each machine This is the database framework needed to run the program Install Adobe acrobat reade
55. Methods covered by contracts 93 Lines of contract code 189 Lines of non trivial contract code 39 Class invariants 9 It is worth noting that a lot of the methods that are not covered are auto property getters that are unable to guarantee anything The majority of the contracts are trivial requires not null checks or ensures not null checks Some of the more interesting contracts requires that stations are or are not currently listening to TCP requests or requires that the machine is currently the manager 13 Chapter 6 Data This system handles a lot of data transactions and most of this data is personal and sensitive People do not want everyone knowing their CPR numbers and whether they have voted or not Before an election can start each election venue needs a list of voters that should be able to hand in their voter cards in exchange for a ballot and vote at their specific location Initially all this information is stored in a single location and needs to be partitioned for each election venue This partitioning will most likely be based on the addresses of the voters but in this paper we do not discuss how this partitioning should be conducted After the partitioning the different fragments must be transported to the election venues This can happen in a few different ways e Use the Internet to transmit the data e Use a messenger service to transport it via a portable medium USB device CD etc e Use your own mess
56. R 1 Be the election official s 0 1 medium 1 2 Force access 0 1 low 4 OR 1 Physically force access 0 1 low 4 2 Digitally force access Digitally force access 3 Force an insider to grant access Manipulate person s gt 2 Delete the database 0 1 high 2 2 During transportation 0 1 high 4 OR 1 Delete data on the USB device 0 1 high 4 AND 1 Physically acquire the device 0 1 low 4 OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it lt Manipulate person s gt 2 Delete the data 0 1 high 5 3 Optional Give the USB device to people transporting it 0 1 low 5 3 At the tallying location 0 1 low 4 OR 1 Be responsible for tallying 0 1 low 1 2 Manipulate person s responsible for tallying to delete the data lt Manipulate person s gt 3 Delete the data without the person s responsible noticing 0 1 high 1 4 lt Digitally force access gt 5 Physically force entry and the attacker deleting the data 0 1 low 4 6 Corrupting data 0 1 low 4 OR 1 Before the election 0 1 low 4 OR 1 During partitioning lt Gain access to partitioning machine gt 2 During transportation to election venue 0 1 low 4 OR 1 Corrupt the USB device 0 1 low 4 AND 1 Physically acquire the device 0 1 low 4 OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it lt Manipulate person s gt 2 Corrupt the data 0 1 high 5 3 Optional
57. Reorganized some regions in Stations implemented the new IDvlUi features in TestUi Revision 311 Author Aaes Date 2012 05 15 Message NotEnoughPeers and EnoughPeers are implemented Revision 310 Author Skovvart Date 2012 05 15 13 39 13 30 13 20 13 19 names to danish 13 12 13 10 13 05 12 54 Message AddPeer and RemovePeer will now announce to the UI when there s enough or not enough peers to continue the election The required amount of peers is at the moment set to 1 Revision 309 Author Aaes Date 2012 05 15 Message added enough peers and not enough peers to IDvIUI Revision 308 Author Skovvart Date 2012 05 15 Message Generated passwords now use 10 chars Revision 307 Author Skovvart Date 2012 05 15 Message Made ShutDownElection and ShutDownElectionCommand notify the UI renamed default and root 12 53 12 33 12 30 namespace to Aegis DVL Revision 306 Author Aaes Date 2012 05 15 12 23 Message added shutdown UI method Revision 305 Author Aaes Date 2012 05 14 Message changed Revision 304 Author Aaes Date 2012 05 14 Message changed Revision 303 Author Aaes Date 2012 05 14 Message Changed Revision 302 Author Skovvart Date 2012 05 11 Message Changed Revision 301 Author Aaes Date 2012 05 11 12 49 the window titles 12 35 the icon for the 12 31 the icon 18 27 PublicKeyExchange failure state requirement to Manager
58. Revision 246 Author Skovvart Date 2012 05 04 15 00 Message CryptoCommand should also use the appropriate key now Revision 245 Author Skovvart Date 2012 05 04 14 55 Message CryptoCommand will now also accept messages from yourself Revision 244 Author Skovvart Date 2012 05 04 14 36 Message Removed contract that requires that the Iv setter requires that the value is different since it causes problems when sending the message to yourself Revision 243 Author Aaes Date 2012 05 04 14 27 Message update label added to overview and manageroverview Revision 242 Author Skovvart Date 2012 05 04 14 16 Message Database get no longer throws exception when the voternumber doesn t match the cpr only returns Bal lotStatus NotAvai lable Revision 241 Author Aaes Date 2012 05 04 14 14 Message the PopulateList methods should be in seperate threads now Revision 240 Author Aaes Date 2012 05 04 14 02 Message Revision 239 Author Skovvart Date 2012 05 04 14 00 Message fixed yet again Revision 238 Author Skovvart Date 2012 05 04 13 58 Message Fixed nullcheck Revision 237 Author Skovvart Date 2012 05 04 13 56 Message NewIv should always be different from the old one Revision 236 Author Skovvart Date 2012 05 04 13 45 Message when the manager is sending cryptocommands to itself it will now use the right encryption key since the manager isn t found in its peerlist Revision
59. T In the end we decided to implement our own secure communication This was partially done due to not requiring all of the functionality of SSL or PGP GPG but also because of Bouncy Castle lacking some functionality such as a SSL server and the fact that the PGP GPG implementation was clunky Using a lot of the concepts of PGP GPG we do believe our secure communication is actually secure 44 Chapter 15 Conclusion We believe the project has been a success We successfully built a distributed digital voter list system with no single point of failure that uses secure network communication and make use of encryption to secure personal sensitive data The system was fully documented using the BON specification language and was created using design by contract A part of the system was also verified using the model checker UPPAAL The system was also tested thoroughly with a total of 97 code coverage Though there are problems with the system that need to be fixed if it were to be used in a real election the theory and design decisions are sensible and there is a solid foundation that can be developed from With further development we definitely believe the system could replace the system made by KMD The primary requirements were fulfilled and some of the secondary as well Primary requirements Features All of the requirements in this category were met We have constructed a system with a graphical user interface where at least one ma
60. VOTERNUMBER and BALLOTSTATUS Page 1 System Informal 16 05 2012 35 Class LOGENTRY description A log entry is an entry in a log It contains a message a time and a level indicating its type 36 end Page 2 Command Informal 16 05 2012 1 class chart COMMAND 2 indexing 3 author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk 4 explanation A command is sent over the network and can be executed at the destination 5 query 6 who sent this command 7 command 8 Execute this command 9 end Page 1 Communicator Informal 16 05 2012 1 class chart COMMUNICATOR 2 indexing 3 author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk 4 explanation A communicator is responsible for securely passing commands between two parties 5 query 6 May I have a new communicator with this station as the parent 7 Is this machine listening on this port 8 who is my parent 9 what are the addresses of machines in the local network 10 command Ti send this command securely to this target 12 Receive and handle all commands 13 constraint 14 All commands should be secure 15 end Page 1 Core Datatypes 16 05 2012 WO N DUN Ah uU N pp RR RR RS ARWN EO 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 Class chart CIPHERTEXT
61. ack must know who generates or where the private key is generated Attack OR 1 Be responsible for generating the private key 0 1 medium 1 2 Manipulate person s responsible for generating the private key lt Manipulate person s gt 3 Steal the private key without being noticed 0 1 medium 1 Postcondition The attacker now knows how to decrypt data Attack pattern Acquire public key used to encrypt data 0 1 low 4 Goal To acquire the public key used to encrypt voter data such as voter number CPR number and ballot status Precondition Attack OR 1 Gain access to a machine and read the public key from RAM 0 1 high 1 2 Acquire the USB device with the election venue data 0 1 low 4 OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate person s transporting it Manipulate person s gt 3 Be the person responsible for generating the public key 0 1 high 1 Postcondition Attacker now knows how to encrypt data Attack pattern Digitally force access 0 0 high 2 Goal Attacker forces access to the machine through digital means and can execute arbitrary code Precondition Attacker must have a computer from which he can control the execution and the skills to do so Attack OR 1 A machine connected to the DVL machines is available through the internet 0 0 high 1 2 A malicious machine is attached to the network 0 0 high 1 3 A DVL machine is compromised to begin with 0 0 high 2 Postconditio
62. age Moar UI Revision 107 Author Aaes Date 2012 04 24 15 05 Message Revision 106 Author Skovvart Date 2012 04 24 15 04 Message Updated communicator to handle failures updated tests Added GeneratePassword to I Crypto Added some regions to IDisposable Revision 105 Author Aaes Date 2012 04 24 14 46 Message Added a checkMasterPW Dialog and revised the Overview window Revision 104 Author Aaes Date 2012 04 24 14 09 Message Corrected the folder structure of the UI Revision 103 Author Aaes Date 2012 04 24 14 03 Message Added more code to make the merging of station and the UI smoother Revision 102 Author Skovvart Date 2012 04 23 16 54 Message Updated unit tests to include logging Page 14 Revision History 21 05 2012 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 3177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 Replacing source Digital Voter List Digital Voter List Logging LogModel Designer cs Replacing source Digital Voter List Digital Voter List Logging LogModel edmx Revis
63. al without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it Manipulate person s gt 2 Acquire public key used to encrypt the data 3 Encrypt tampered data set with public key 0 1 high 5 4 Write data to own USB device 0 1 low 5 5 Give new USB device to people transporting it 0 1 low 5 2 Manipulate the data on the existing USB device 0 1 high 4 AND 1 Physically acquire the device 0 1 low 4 OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it lt Manipulate person s gt 2 Replace or manipulate 0 1 high 4 OR 1 Manipulate 0 1 high 4 AND 1 Acquire private key used to decrypt the data 2 Acquire public key used to encrypt the data 3 Decrypt data set 0 0 high 5 4 Manipulate data 0 O high 5 5 Encrypt tampered data set with public key 0 O high 5 6 Write data to USB device 0 0 low 5 2 Replace 0 1 high 4 AND 1 Acquire public key used to encrypt the data 2 Encrypt tampered data set with public key 0 O high 5 3 Write data to USB device 0 0 low 5 3 On manager machine before election has started 0 1 high 4 AND 1 Gain access to the manager machine 0 1 low 4 OR 1 Be the election official s 0 1 medium 1 2 Force access 0 1 low 4 OR 1 Physically force access 0 1 low 3 2 Digitally force access Digitally force access 3 Force an insider to grant access Manipulate person s gt 2 Replace or manipu
64. appropriate text boxes 47 Press F rdig with a A prompt saying that Yes None valid voter number and the voter can not be but an invalid CPR handed a ballot appears number in the appropri ate text boxes 48 Press Fardig with an A prompt saying that Yes None invalid voter number the voter can not be and a valid CPR num handed a ballot appears ber in the appropriate text boxes 49 Press Fardig with no You can not press the No A prompt appears say voter number and a F rdig button ing that voter can not valid CPR number in receive a ballot the appropriate text boxes 50 Press F rdig with a You can not press the Yes None valid voter number and F rdig button no CPR number in the appropriate text boxes 51 Press F rdig with no You can not press the Yes None voter number and no F rdig button CPR number in the ap propriate text boxes 52 Press F rdig with a A prompt saying that Yes None valid voter number and the voter can not be a valid CPR number handed a ballot appears in the appropriate text boxes that has already voted 53 Press F rdig with a You can not press the Yes None valid voter number and F rdig button and a a valid CPR number label showing that not in the appropriate text enough stations are con boxes but not enough nected appears stations are connected 54 Press Kun CPR with a A prompt saying that Yes None valid CPR number in the appropriate
65. are sent securely wrapped in a CryptoCommand The CryptoCommand checks that the sender is who it claims to be through the use of hybrid cipher encryption This requires that the sender and receiver know each other which they do not at system startup Therefore PublicKeyExchangeCommands are sent unencrypted but the public key they contain is obfuscated by a randomly generated password The password is shown on the sender s machine when received and the receiving machine needs to type it in The only other command that is not wrapped in a CryptoCommand is the IsAliveCommand that is used to check if a machine is actively listening on the network port the system uses 8 2 0 PGP GPG and SSL During our design phase we considered using PGP 44 GPG 49 and SSL 50 which are all technologies that concern themselves with secure communication The main idea behind PGP and GPG is that you can not trust a sender of a normal email to actually be who he claims to be This is solved by having public private key encryption and signing of keys While the public private key encryption is an idea we also have used the signing of keys does not benefit our system all that much The value of a signature originates from the writer of that signature and if our system operates on a closed network the only machines who could sign the keys would be machines we essentially controls ourselves This would mean that we simply trust our own signature which does not provide an
66. ars appropriate text boxes 23 Press F rdig with a A prompt saying that Yes None valid voter number and the voter can not be but an invalid CPR handed a ballot appears number in the appropri ate text boxes 24 Press F rdig with an A prompt saying that Yes None invalid voter number the voter can not be and a valid CPR num handed a ballot appears ber in the appropriate text boxes 25 Press F rdig with no You can not press the Yes None 53 26 Press F rdig with a You can not press the Yes None valid voter number and F rdig button no CPR number in the appropriate text boxes 27 Press F rdig with no You can not press the Yes None voter number and no F rdig button CPR number in the ap propriate text boxes 28 Press F rdig with a A prompt saying that Yes None valid voter number and the voter can not be a valid CPR number handed a ballot appears in the appropriate text boxes that has already voted 29 Press F rdig with a You can not press the Yes None valid voter number and F rdig button and a a valid CPR number label showing that not in the appropriate text enough stations are con boxes but not enough nected appears stations are connected EndedElectionPage 30 Pres the Gennemse a file browser appears Yes None button in the Ended and lets you choose a ElectionPage destination if you do notchoose one nothing a
67. asterpassword in constructor in logger and sqlitedb Revision 124 Author Aaes Date 2012 05 01 12 18 Message Renamed UiHandler back to UIHandler and remade some missing methods Revision 123 Author Aaes Date 2012 04 30 16 49 Message Comments on the UIHandler and in some other UI classes Revision 122 Author Skovvart Date 2012 04 30 16 43 Message Fixed some serialization problems with Synccommand added a test added a comment for a missing parameter in IDatabase added the option of not creating dummy databases should be removed soonish alltogether Revision 121 Author Skovvart Date 2012 04 30 15 54 Message No longer overriding Master pw Revision 120 Author Skovvart Date 2012 04 27 11 06 Message Note added Revision 119 Author Skovvart Date 2012 04 27 10 25 Message Added comment Also previous update uncommented a couple of things in UiHandler make sure it doesn t cause problems Revision 118 Author Skovvart Page 13 Revision History 21 05 2012 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 3117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 3131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 115
68. at the machine will not have a consistent data set anymore since it does not receive updates from the manager anymore This means that the user interface should have a strong way to inform the user of whether a machine is connected to the manager or not 30 8 4 Logging Logging is a tool to make sure that the execution of the program is easy to inspect This makes it possible to find out what happened after an election whether it was a success or something went wrong We have chosen to store the logs on all the machines locally They are stored in a database file encrypted with the master password ensuring that it can be accessed at any time The log file is located in the application directory In our implementation we have chosen to have an interface ILogger which makes it easy to switch the logging mechanisms if it should be necessary We have implemented a simple class that inherits from ILogger and can store log entries instead of a framework which would over complicate this simple operation For a comparison of some of the most popular logging frameworks see Comparison of NET Logging Frameworks and Libraries 27 We have chosen five different logging levels that each indicate a different kind urgency Debug Contextual information used for diagnosis Info Contextual information used to help trace execution Warn Indicates a potential problem in the system Error Indicates a serious problem in the system Fatal Indicates a
69. base This solution is quite similar to the previous solution but the data is now moved to a separate machine This is an advantage because the manager machine facilitates other features and is therefore more prone to errors and attacks than a separate machine which no one interacts with The disadvantage is an increase in network traffic since the manager 15 now has to forward all requests and answers from the separate database This solution still has a single point of failure which from a distributed systems viewpoint is a serious disadvantage We chose to use the first solution for its robustness We realized that we needed to focus on making each machine as secure as possible since they all contain the full data set but being able to recover from the crash of any machine is a desirable property While this solution is traffic intensive we do not sacrifice any robustness and in a real world scenario each election place has at most 25 machines in total which makes the traffic almost unnoticeable The system might not scale in an ideal manner but the security aspect takes priority over performance 16 Chapter 7 Synchronization and Broadcasting Since we chose a robust solution where every machine has the entire data set at all times we need a way to synchronize all the machines to make sure that all the data sets are up to date if any of them should crash There are several ways this can be done e Request synchronize A station
70. cceptManagerDialog and CheckMasterPasswordDialog unless he has actually written something Revision 227 Author Aaes Date 2012 05 03 16 24 Message It is now impossible to remove stations you are not already connected to in the ManagerOverviewPage Revision 226 Author Aaes Date 2012 05 03 16 22 Message the station window will appear in the middle of the screen on open Revision 225 Author Aaes Date 2012 05 03 16 20 Message AcceptStationDialog AcceptManagerDialog and checkmasterPasswordialog now focuses thier passwordboxes on startup and Esc is bound to cancel and Enter is bound to OK Revision 224 Author Skovvart Date 2012 05 03 16 20 Message PublicKeyExchangeCommand will keep asking for a new password when unable to get a key from the provided Should stop on cancel Revision 223 Author Aaes Date 2012 05 03 16 15 Message translated list headers and enabled cancel on the gor til manager button Revision 222 Author Aaes Date 2012 05 03 16 12 Message AcceptstationDialog and AcceptManagerDialog now use password boxes instead of textboxes Revision 221 Author Aaes Date 2012 05 03 16 11 Message showPasswordwindow wasnt used anymore and was deleted Revision 220 Author Aaes Date 2012 05 03 16 10 Message added a filter to the export save file dialog Revision 219 Author Aaes Date 2012 05 03 16 08 Message wipes the shown password on the manager when a reply is received Revision 218
71. cilitates all queries to the database This system uses an SQLite database but it can easily be changed and the alternatives are discussed in section 7 1 Database management system DBMS If the DBMS needs to be changed or one wants to change to a different kind of data storage a new database class can be constructed and used as long as it implements IDatabase 5 3 5 Logger The Logger class is responsible for all log entries and exporting the log Whenever an important event in the system occurs the Logger class sees to that it is logged in the right place with the right encryption No logging framework is used by our logging class but if one wanted to add a framework or change the way the logs are stored a new Logger class can be constructed and used as long as it implements ILogger 5 3 6 UiHandler The UiHandler is responsible for all user interface related communication Every time the user interface wants to use methods from the station and the other way around it results in a call to the UiHandler If the user interface needs to be replaced a new UiHandler class can be constructed and used as long as it implements IDvlUi 12 5 4 Generating voter cards One of the requirements for the system was the generation and printing of voter cards To ac commodate this we have added a PDFGenerator project written by K re Sylow Pedersen as a part of the Digital Voter Registration System 29 The code can generate voter cards and lists of v
72. cluded Chapter 3 Assumptions To reason about the systems and the work practices surrounding it we have made certain assumptions e Both inside and outside adversaries will use any given opportunity to exploit the system e Adversaries have the required resources and time to carry out the attack of their choice e The encryption algorithms can be trusted to encrypt and decrypt data in the manner explained in the documentation in a reliable fashion e The algorithm chosen for generating keys can be trusted to generate matching key pairs in a reliable manner e Danish CPR numbers are unique e A single entity holds all CPR numbers and is able to partition them for the election venues e A single entity will receive all the voter data from all the election venues after the election has ended e The entity that prints voter cards and hands them out can be trusted e No election venue will contain more than 25 machines e It is unlikely for multiple machines to fail at once unless the system is being attacked e Each election venue will handle at most 25 000 voters during the election Chapter 4 Requirements and Goals We wanted a system which was secure and user friendly We wanted as little responsibility trans ferred to the election staff as possible which means that our program should be able to solve most problems without requiring attention from the user With this in mind we devised the following requirements Primary re
73. comparison on l6th April 2012 48 28 UPPAAL home retrieved from http www uppaal org on 7th May 2012 29 Digital Voter Registration System Christian Olsson K re Sylow Pedersen and Henrik Haugbglle IT University of Copenhagen 14th December 2011 30 NUnit Home retrieved from http www nunit org on 8th May 2012 31 Code coverage tool for NET dotCover http www jetbrains com dotcover on 11th May 2012 32 Pex Automated White box Testing for NET retrieved from http research microsoft com en us projects pex default aspx on 18th May 2012 33 Business Object Notation BON Kim Waldn Enea Data Chapter 10 in Handbook of Object Technology CRC Press 1998 retrieved from http www bon method com handbook bon pdf on 10th May 2012 34 Code Contracts retrieved from http msdn microsoft com en us library dd264808 aspx on 10th May 2012 35 Applying Design By Contract Bertrand Meyer October 1992 retrieved from http se ethz ch meyer publications computer contract pdf on 10th May 2012 36 Systembeskrivelse KMD Digital Valgliste Version 2 1 0 KMD A S 05 09 2011 re trieved from http nykundenet kmd dk systembrugere valg Valgudskrivning Vejledninger Digital 20Valgliste 208ystembeskrivelse 20Version 202 1 0 pdf on 10th May 2012 37 Kom godt i gang KMD Digital Valgliste Tekniker Version 2 1 0 KMD A S 05 09 2011 retrieved from http nykundenet kmd dk systembrugere val
74. controlling entity and illustrates that adding additional layers of security is not always beneficial A desirable way to deal with this is distributed security If several entities with different stakes control the security together it becomes more robust As an example a married couple might share a bank account The husband does not trust the wife not to spend all the money on shoes and the wife does not trust the husband not to spend it all on wine but they need to be able to extract money from the bank account for shared needs If they both have a part of the account password they can only extract money from the account when both of them are present This prevents each of them from emptying the bank account on their own The same principle could be applied to the election venue with members from opposing political parties both not wanting the other to inappropriately manipulate the election When implementing the security in our system we realized just how hard it actually is to implement and how easy it is to implement it wrong We initially considered using SSL and PGP GPG with OpenSSL 60 as using verified security approaches gives a greater sense of trust but the documentation for OpenSSL NET 61 was severely lacking We eventually switched to using Bouncy Castle where the documentation was better but not great Its greatest strength was probably the fact that it was a NET implementation and not merely a C wrapper like OpenSSL NE
75. d gt b BYTEARRAY require b void Page 1 Crypto Formal 16 05 2012 63 64 65 66 67 68 69 70 71 72 73 74 Z3 76 77 78 79 ensure GetIv b end GetIv BYTEARRAY ensure result void end NewIv void ensure GetIv void and GetIv old getIv end GenerateSymmetricKey BYTEARRAY ensure result void end end end end Page 2 Database Formal 16 05 2012 O N 6 QI bh uU N pp NBPRPRPRPRPRP RR PR e N RUN HO 21 22 23 24 25 27 28 29 31 32 33 34 36 static diagram DIGITALVOTERLIST component cluster DATABASE component deferred class IDATABASE feature deferred GetBallotStatus BALLOTSTATUS vn VOTERNUMBER Cpr CPR require vn void and cpr void end deferred SetBallotStatus void vn VOTERNUMBER gt cpr CPR bs BALLOTSTATUS require GetBallotstatus vn cpr BALLOTSTATUS Unavailable and bs BALLOTSTATUS Unavailable and GetBallotstatus vn cpr BALLOTSTATUS NotReceived and bs BallotStatus Received or GetBallotStatus vn cpr BALLOTSTATUS Received and bs Ballotstatus NotReceived ensure GetBallotstatus vn cpr bs end deferred GetBallotstatusCPROnly BALLOTSTATUS gt cpr CPR gt pswd STRING require pswd void and Parent ValidMasterPassword pswd end deferred SetBallotStatusCPROnly void gt cpr CPR gt bs BALLOTSTATUS gt pswd STRING require pswd void and Pa
76. d the station becomed to is selected in the the new manager ManagerOverviewPage Redirect to BallotRe questPage for manager and redirect to Man agerOverviewPage for station 70 Press the Afslut Valg after having typed the Yes None button int he Man correct master pass agerOverviewPage word redirect to the EndedElectionPage All stations close their applications Election and crashes 71 During the election a new manager is No a new manager is sever the connection to the manager elected and promoted elected correctly but not at the time the sev ering occurs but on the next action requiring network traffic taken by any station 58 T2 During the election sever the connection to a station the station is removed from the managers list of peers Yes None 17 2 Class diagrams Aegis DVL All j Q Q Q Q A KN AddPeerComma Y BallotReceivedC Y BallotReceivedC Y BallotRequestD Y Bytes Class Class Class Class I Static Class i i Er xa Q Q TA ARN Ew Q CommunicatorCon Y Crypto E CryptoCommand Y CryptoContract a EndElectionCom Y Abstract Class Class Class Abstract Class Class O O se gt IPEndPointCom Y IsAliveCommand f SY log c Class
77. dence that the software works as expected We also verified our synchronization algorithm using UPPAAL see appendix 17 4 UPPAAL The scanner and voter card generator was tested during the development but these tests remain undocumented Since there is no code for the scanner and we did not write any of the code for the voter card generator we found it unnecessary to tests these features in a systematic manner 11 0 1 Test strategy As a primary means of testing we have created unit tests using the NUnit testing framework 30 For tracking code coverage we have used JetBrains dotCover 31 We initially set requirements for the coverage of our tests by dividing the tests into domains and setting coverage require ments Ideally we would like 10096 coverage but in some cases it is impractical so we settled for 9096 coverage on most of the domains The tests should also be thorough but it is hard to specify this in requirements Due to time constraints some of the tests are not as thorough as we would have liked We would also have liked to have run PEX 32 on our system We tried running PEX briefly but it generated a lot of tests that failed and we did not have time to identify which tests were problems that needed fixing and which were PEX being unable to generate good tests Ideally all of PEX failed tests should be corrected or at least analyzed but as we had good test coverage from our hand written tests we did not include the PEX
78. deord p stationen vXNyThtCbK IP Adresse Tilsluttet 192 168 1 13 m Opdater Tilbage Tilf j fem startvalg and the station needs to input the password After the station has entered the password and pressed OK you are asked for a password displayed on the station like this Indtast kodeord vist p stationens sk rm 192 168 1 13 When you enter the right password the station appears as connected in the list Pressing Fjern removes the stations as a peer and announces to the remaining peers that they must do the same A removed peer is ignored Start valg asks you for the master pass word and start the election like so 73 4 Master Password Indtast Master Kodeordet NOTICE be aware that the system must always have at least four active machines to function If this is not the case you are not able to start the election When the election has started you are presented with this page j us Aegis DVL lea Filer Hj lp IP Adresse Tilsluttet Valgkortsnummer 192 168 1 13 CPR nummer Opdater Tilf j Fjern Ger til Manager Afslut Valg This page is a combination of the previous page and the voting page from the station The right side of the page functions exactly like the previous screen and the right side screen gives you the opportunity to mark voters with voter number and CPR n
79. dles and routinely pump messages during long running operations It seems to mainly have been thread deadlocking that has caused it and we have not been able to consistently recreate it Minor If you click Opdater in the user interface while it is already updating you will get an ObjectDisposedException This is because the DiscoverNetworkMachines method uses the threadpool Minor CPR numbers written in the user interface should be within the uint32 limits Ideally we should add more checks to the user interface like making sure that the first two digits do not exceed 31 the next two digits do not exceed 12 and so on Minor If multiple machines try to request the same ballot at the same time only one is handed out but no error message is shown on the other machines Minor If you click Marker v lger or Afslut any entered master password is considered wrong if you are in a window before the BallotRequestPage on a station or before the OverviewPage on the manager Minor If you select an invalid key during load an exception is thrown in the DataLoadPage Minor If you try to add a station you are already connected to an exception is thrown in the OverviewPage and ManagerOverviewPage Minor 39 When you have removed a station the user interface list is not updated before you Minor click Opdater While most of the known bugs are minor and easily
80. e Aegis DVL system and a brief discussion about the alternatives A description and discussion about the security measures taken to ensure that the voting data is protected and can not be tampered with A user manual describing the common usage of the Aegis DVL system An overview of the testing strategy and the results Notes for any future developers of this or a similar system Several other topics are not included in this paper No usability analysis of the user interface has been performed It is purely for demonstration purposes and while containing the appropriate functionality the aesthetics was not a priority This solution does not cover what happens before and after the election This includes but is not limited to the partitioning of data the printing and sending of voter cards the storage of the machines the collection of the data after the election has ended and the counting of votes This paper does not discuss the physical transportation of voter cards machines USB devices etc in depth While physical transportation is suggested several times one must consider the logistics and how the vehicle is guarded amongst other factors before imple menting the solution in real life The paper does not include an economical analysis concerning the Danish election protocols and how much money can be saved by using this solution instead of the existing one Neither an implementation nor a discussion of letter votes is in
81. e kodeord p manageren oYIUngCPYy Venter p at valget starter Tilbage L A Have the manager type this password in and the text on your screen switches to Venter p at valget starter which is displayed until the manager decides to start the election 4 When the election starts you are presented with this screen 2 J Aegis DVL cg X Filer Hj lp Valgkortsnummer CPR nummer 69 From this screen voters can scan type their voter numbers and type in their CPR num bers When this is done you can press Feerdig and one of the following dialogues is shown Giv ikke stemmeseddel n ken This indicates that the voter is either not eligible to vote at this venue or that he has already been handed a ballot Giv stemmeseddel imm A Vaelgeren 250001 M gives en stemmeseddel This indicates that the system has accepted the voter number and CPR number and that this voter can now be handed a ballot 5 This process can be repeated until the manager decides that the election has ended 6 When the election has ended the application automatically shuts down T When the manager has exported the data and everyone is sure that the election has run as expected it is safe to delete the Voters data file Manager usage 1 After you have selected Manager you are presented with this page 70 E J Aegis DVL Filer Hj lp Dette er
82. e to vote he receives a ballot used to cast a vote Election official A normal poll worker that does not know the master password The job of the election official is to hand out ballots to the eligible voters when the system has confirmed that it is OK Election secretary The person responsible for a single election venue Each election venue has one election secretary that holds the master password for that venue Master password A password generated before the election starts and held by the election secretary It is used to start an election end an election register a voter only with his CPR number and access the log database 43 Chapter 14 Reflection When designing a software solution that focuses on security one must be aware that no system is 10096 secure Every time a new layer of security is added the responsibility is moved from one entity to another whether this is a part of the system or an actual person or multiple persons It all comes down to which entities you trust In this system we assume that the election secretary and the entity responsible for partitioning and collecting the data are both trustworthy sources If any of these were to have malicious intent they could easily jeopardize the election This could be solved by adding a new layer of security and having a new entity control the privileges of the election secretary and the partitioning and gathering entity This poses the problem of whether we trust the new
83. en a CryptoCommand is received the command checks if the inner command s sender matches the sender of the CryptoCommand itself It then confirms that the decrypted hash matches the hash it computes locally and if everything matches up the command is executed otherwise the system is notified and shuts down 8 3 Detection and recovery Detecting potential intrusion is most likely to happen when receiving a command transmitted over the network The Communicator only allows CryptoCommands IsAliveCommand and PublicKeyExchangeCommands to be received reducing the amount of potential attacks Upon receiving something else the system is shut down IsAliveCommand does not contain any code or data to be executed and can not be exploited PublicKeyExchangeCommand shuts down the system if the station has already exchanged keys once and as key exchange requires human interaction detecting misuse should be easy CryptoCommands shuts down the system if the sender is unknown or if the sender hash is invalid Another problem that can be detected is when failing to send command to a recipient This is handled differently based on some criteria e When the manager fails to send a command to a station the manager announces to the remaining peers that the station should be removed from their peer lists e When a station fails to send a command to the manager the station announces to the other stations that they should elect a new manager and then re send
84. enger to transport it via a portable medium We strongly recommend the Use your own messenger to transport it via a portable medium approach to reduce the attack surface for adversaries and to gain more control of the transporta tion The transportation should preferably be guarded but the financial costs of this might exceed the benefits 6 1 Receiving and distributing data When the partitioned data arrives at the election venue it needs to be distributed to all the machines in the election To make it easier for the person who needs to set up the machines at the election venue it is assumed that there is a single point in the closed network that receives the collection of eligible voters This makes for a few possible solutions for receiving the data e A manager machine receives the data and distribute it to the other machines e A station machine receives the data and distribute it to the other machines e Either a manager or a station machine can receive the data and distribute it Alternatively the data could be distributed manually via a portable medium but this is unnecessarily cumbersome We have chosen that the manager machine receives the data and 14 distributes it Since the manager is the machine managing the stations it makes sense to have this machine join the task of receiving and distributing data with the task of connecting to all the stations The data can be distributed among the machines in several different
85. er data 8 1 Attack model To identify and assess threats to the system we created attack trees 6 using the notation de scribed by Moore et al 5 with added notation for reusing attack patterns inside the attack trees to provide smaller and clearer attack trees The full attack trees can be found in appendix 17 5 Attack Trees where the additional notation is also described Constructing attack trees is a method to identify different kinds of attacks against a system consider the likelihood and resources required of each attack and manage the risks The weakness of this approach is that it relies on the creator to consider all the different kinds of attacks and predict the correct proba bilities and resources The detail and depth of the attack tree is also decided by the creator and important information might be omitted Since this is a paper primarily concerning software we have chosen to focus our attacks on how one could destroy or tamper with an election via our software By identifying the possibilities of potential adversaries we produced countermeasures and implemented a more secure solution The outcome of constructing attacks trees was knowledge of where to focus our efforts when designing the security of our software and we arrived at several conclusions e The portable medium used to transport the data from the partitioning venue to the election venue should have a protection mechanism to prevent tampering with the data prior to a
86. erprise 15 0 ASE 15 0 with Encrypted Columns retrieved from http infocenter sybase com help index jsp topic com sybase dc00412 1500 html Encrypt_Guide BAJCATHA htm on 12th March 2012 20 Encrypting Data Values in DB2 Universal Database Bruce Benfield Richard Swager man International Business Machines Corporation 2001 retrieved from http www ibm com developerworks data library techarticle benfield 0108benfield html on 12th March 2012 21 MongoDB retrieved from http www mongoDB org on 19th March 2012 22 The Apache CouchDB Project retrieved from http couchdb apache org on 19th March 2012 23 Redis retrieved from http redis io on 19th March 2012 24 Distributed snapshots determining global states of distributed systems K Mani Chandy amp Leslie Lamport ACM Transactions on Computer Systems Vol 3 No 1 February 1965 re trieved from http research microsoft com en us um people lamport pubs chandy pdf on 10th April 2012 25 Why Multicast Protocols Don t Scale An Analysis of Multipoint Algorithms for Scalable Group Communication Eve M Schooler California Institute of Technology 2001 retrieved from http thesis library caltech edu 3236 11 thesis pdf on 10th April 2012 26 SyncAlgorithm retrieved from http code google com p nsync wiki SyncAlgorithm on 10th April 2012 27 Comparison of NET Logging Frameworks and Libraries retrieved from http www dotnetlogging com
87. essage Updated a couple of classes based on code analysis Revision 78 Author Skovvart Date 2012 04 11 13 22 Message Removed Pkcslv5 padding from Rsa as it makes encryptions incomparable Padding inputbytes with a 1 to not lose leading zeros Revision 77 Author Skovvart Date 2012 04 10 16 45 Message Crypto doesn t work after all it seems same input and key do not generate the same output Replacing source Digital Voter List Digital Voter List Database VoterModel Designer cs Replacing source Digital Voter List Digital Voter List Database VoterModel edmx Revision 76 Author Skovvart Date 2012 04 10 15 42 Message Didn t get commited for some reason Revision 75 Author Skovvart Date 2012 04 10 15 39 Message Initial implementation of SQLite added Revision 74 Author Skovvart Date 2012 04 10 14 02 Message Renamed some namespaces changed I Communicator to include DiscoverNetworkMachines and IsListening removed ValidMessage since CryptoCommand handles that logic Revision 73 Author Skovvart Date 2012 04 09 18 27 Message todo comment added Revision 72 Author Skovvart Date 2012 04 05 19 37 Message dotCover problem fixed by switching Test project compilation to x86 instead of AnyCPU Added temporary PublicKeyExchangedCommand implemented StationActive in Station added fixed a couple of tests Made station load an encryptionkey from disk located in bin directory for now Made Messa
88. ests a ballot The manager checks its own database and if the voter is eligible for a ballot it sends a message to every station other than the initial one telling them to update their database Lastly the manager sends an update and confirmation to the initial station which then hands out the ballot If the initial station becomes unavailable i e crashes before it can receive a confirmation the manager 17 sends out a revoke command to every other machine telling them that the ballot has not been handed out and that their database should reflect that It is important that the manager sends the update messages at the same time because the system can not handle a situation where the manager crashes halfway through updating the stations That leaves some stations with one ballot status and some with another and no manager to confirm which one is correct If a station is unreachable when an update message is sent it is removed from the manager s and the active stations list of connected stations The ChandyLamport algorithm Snapshot algorithm 2 24 with this approach an observer process initiates the algorithm to gather a global snapshot of the system If we were to use this algorithm it would have to be modified since we wanted updates to be communicated to other machines when a ballot has been handed out and this algorithm only updates the initiator The most significant problem however is the fact that the entire state of each mac
89. fixed and updated to satisfy coverage requirements Revision 289 Author Skovvart Date 2012 05 10 16 58 Message Added revoke when target fails to receive BallotReceived added cpr password options in station Revision 288 Author Skovvart Date 2012 05 10 16 24 Message Commented and contracted constructors Revision 287 Author Aaes Date 2012 05 10 15 13 Message changed titles on dialogs Revision 286 Author Aaes Date 2012 05 10 15 11 Message Revision 285 Author Skovvart Date 2012 05 10 15 11 Message Code analysis fixes Revision 284 Author Aaes Date 2012 05 10 14 41 Page 3 Revision History 21 05 2012 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 ea gil 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 Message Revision 283 Author Skovvart Date 2012 05 10 14 13 Message Code coverage requirements completed for now Revision 282 Author Skovvart Date 2012 05 10 12 22 Message Removed logging from IsAliveCommands since it gave problems when trying to discover peers Revision 281 Author Skovvart Date 2012 05 09 18 23 Message Still problems with the l
90. forall vvoter t voters 0 v imply forall c chan t lvoters c v Ez forall v voter_t voters 0 v imply forall c chan_t voters c v holder lt gt forall v voter_t voters 0 v imply forall c chan_t voters c v holder forall v voter_t ballotsHandedOut v imply forall c chan_t voters 0 v holder forall v voter_t ballotsHandedOut v lt 1 holder 78 r TU C Users Nikolaj Documents My Dropbox Bachelor Project Bachelor UPPALLxml UPPAAL Fil Rediger Vis Funktioner Indstillinger Hj lp Editor lator Verifikator Ba maa amea gt o Traek ud Aktive transitioner deadlock N ste Nulstil Simulationsforl b i querer rnc rans sanc reserven rane vac s2 idle idle confirmVoter idle requestBallot idle idle s2 idee idle idle idle requestBallot idle idle requestUpdate S3 M idle idle idle idle idle idle confirmVoter M idle idle idle idle idle idle idle 53 idle idle idle idle confirmVoter idle idle 52 idle idle confirmVoter idle confirmVoter idle idle M 52 idle idle idle idle confirmVoter idle idle checkVoter ide voter voter1 voter VOTERAMOUNT confimVoter requestUpdate managerVoter voter 1 sender 0
91. g Valgudskrivning Vejledninger Kom 20go0dt 20i 20gang 20Digital 20Valgliste 20Tekniker 20Version 202 1 0 pdf on 10th May 2012 38 Installationsvejledning til KMD Digital Valgliste Konfiguration Version 2 2 KMD A S retrieved from http nykundenet kmd dk systembrugere valg Valgudskrivning Vejledninger Installationsvejledning 20ti1 20KMD 20Digital 20Valgliste 20Konfiguration 20Version 202 2 pdf on 10th May 2012 39 E Voting Technology Glossary retrieved from http whatis techtarget com glossary e voting glossary html on 11th May 2012 40 Punchscan see your vote count retrieved from http www punchscan org on 11th May 2012 41 Scantegrity retrieved from http www scantegrity org on 11th May 2012 42 Dominion Voting is a different kind of election partner retrieved from http www dominionvoting com on 11th May 2012 43 Mediator Design Pattern in C and VB NET retrieved from http www dofactory com Patterns PatternMediator aspx on 15th May 2012 44 The International PGP Home Page retrieved from http www pgpi org on 15th May 2012 49 45 Command Design Pattern in C and VB NET retrieved from http www dofactory com Patterns PatternCommand aspx on 15th May 2012 46 Four eye principle Planning and organization retrieved from http www economypoint org f four eye principle html on 15th May 2012 47 ADO NET 2 0 Provider for SQLite retrieved from http sourceforge net projects s
92. ge serialiable Revision 71 Author Skovvart Date 2012 04 03 15 41 Message Optimized references Revision 70 Author Skovvart Date 2012 04 03 15 33 Message Updated bytetests to dispose of a memorystream Attempted to figure out what dotCover s problem is but to no avail so far Page 16 Revision History 21 05 2012 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 Revision 69 Author Skovvart Date 2012 04 03 15 11 Message Updated a couple of tests and removed unnecessary files from the root source folder Revision 68 Author Skovvart Date 2012 04 03 14 55 Message Added padding to asymmetric encryption distinguishing between symmetric and asymmetric keys updated a few tests and a lot of commands updated communicator slightly Revision 67 Author Skovvart Date 2012 04 03 13 02 Message Implemented most commands Revision 66 Author Skovvart Date 2012 04 02 16 42 Message Small updates to some tests Revision 65 Author Skovvart Date 2012 04
93. ger what is the master password Is this station active What machines on the network respond that they have the digital voter list software running Is this string the masterpassword Can I have a new Station that is the manager Can I have a new Station command This station is now the manager This is how you encrypt messages This is how you log messages The master password is this The system is compromised notify everyone and shut down the election Exchange public keys with this machine Start listening to other stations Stop listening to other stations Start the election Add this station to the group Remove this station from the group Start election of a new manager Elect a new manager Request a ballot for this voter This voter received a ballot Revoke this ballot Tell the group to remove this station as a peer Make this station the new manager Announce to all stations that the election has started Announce to all stations that the election has ended Announce to all that they should revoke this update constraint The master password must not be set to null and the master password must not be changed once it s set All addresses must be well formed that is not null when exchanging public keys with a station the station must be active You can not start or stop listening unless you re in the
94. hine would be sent over the network This could potentially be thousands of entries which is unnecessary for our purposes NSync 26 NSync would be a good choice if we wanted to have several updates at a time on each machine It works by sending metadata on what changes needs to be made resolves conflicts and afterwards sends the necessary data for the changes to happen It would not be fit for our purpose since we want to send one update at a time and because that conflicts in the data sets is a reason to suspect that a machine has been compromised in our system To provide better insight into how our algorithm is implemented the following pseudo code is supplied Algorithm 1 Our synchronization algorithm Station side 1 VoterNumber Scanned VoterNumber 2 CPR Typed CPR e SS Check CheckOwnDatabase VoterNumber CPR returns false if the voter does not exist or has already received a ballot if Check then InformV oter inform the voter that he does not exist or has already received a ballot else Manager Request Ballot V oter Number CPR sends a command to the manager with the request end if 18 Algorithm 2 Our synchronization algorithm Manager side RequestBallot 1 Voter Number lt Scanned Voter Number 2 CPR Typed CPR Check CheckOwnDatabase VoterNumber CPR returns false if the voter does not exist or has already received a ballot UpdateOther Stations V oter Number CPR if
95. his is not something we can easily enforce in the system and we trust that the election secretary is trustworthy Since the master password is needed to mark a voter by CPR number only which should only happen when a voter has lost or forgotten his voter card we realized that if a large number of these voters appeared at the same time this might create a bottleneck since only a single person can mark these voters After further investigation we discovered that this has not previously been a problem in Denmark as few voters forget or lose their voter cards If this were to become a problem one could add another tier of election staff between the election official and election secretary T his new tier would have a separate password for each member and would be able to have all the rights of the election official with the added benefit of being able to mark voters by CPR number only The user interface in our application is supposed to be for demonstration purposes only We wanted to focus on making a system with an easily replaceable user interface This does not 35 mean that the user interface is not functional but the aesthetics of it can be improved 36 Chapter 11 Testing Testing the software gives us some confidence that it works correctly Having the tests cover 100 of the code base while asserting that it functions as intended gives us full confidence that the code does not always fail The more thorough tests the higher confi
96. ination of CPR VOTERNUMBER and BALLOTSTATUS query What is the encrypted CPR number of this encrypted voterdata what is the encrypted voter number of this encrypted voterdata What is the encrypted ballot status of this encrypted voterdata constraint All the data must have a value that is be non void end class chart LOGENTRY indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nsbkGitu dk explanation A log entry is an entry in a log It contains a message a time and a level indicating its type query what is the message of the log entry What type of log entry is this At what time was the log entry added constraint None of the values must be void end Page 2 Crypto Informal 16 05 2012 1 AWN un 10 11 12 13 14 15 16 17 18 class chart CRYPTO indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation Crypto is responsible for cryptographic functions such as public key encryption query What is the asymmetric key used for encrypting voterdata at this election venue What are the keys for my public key infrastructure what does this look like when it s symmetrically encrypted with this key what does this look like when it s symmetrically decrypted with this key what is the current initilization vector what does this look like when it s asymmetrically encrypted with this key what does th
97. ion 101 Author Aaes Date 2012 04 23 15 25 Message UI updates to match the back end Revision 100 Author Aaes Date 2012 04 22 23 13 Message added a master password generator Revision 99 Author Skovvart Date 2012 04 19 00 58 Message Fixed election algorithm Revision 98 Author Skovvart Date 2012 04 18 16 14 Message Trying to add nunit framework dll without the rest of NUnit Revision 97 Author Aaes Date 2012 04 18 16 12 Message SQLite DLL s added Revision 96 Author Skovvart Date 2012 04 18 16 01 Message Fixed method name in XAML Revision 95 Author Skovvart Date 2012 04 18 16 00 Message Implemented IDisposable Revision 94 Author Aaes Date 2012 04 18 15 59 Message Added dummy methods to several UI windows and made additional functionality Revision 93 Author Skovvart Date 2012 04 18 15 07 Message Updated implemented Logger Restructered datatypes a bit Revision 92 Author Skovvart Date 2012 04 17 16 59 Message Reformatted logger Revision 91 Author Skovvart Date 2012 04 17 16 53 Message Updated tests fixed some bugs 95 code coverage but still some issues remaining Revision 90 Author Aaes Date 2012 04 17 16 44 Message Revision 89 Author Aaes Date 2012 04 17 15 20 Message more UI updates Revision 88 Author Aaes Date 2012 04 17 13 57 Message Added navigation between all UI windows and fixed some resizing issues Revision
98. ired beyond 2030 58 For symmetric encryption we use AES 54 in CBC mode 55 Cipher Block Chaining with PKCS7 56 padding and initialization vectors IVs Keys and IVs are generated using Bouncy Castle s SecureRandom class The generated keys use the highest strength supported by Bouncy Castle which is 256 bit 32 bytes The fastest supercomputer in the world would in theory require about 3 31 10 years to exhaust the 256 bit key space 59 Ideally we would use CCM mode 57 since it seems to be the best option Bouncy Castle offers but we had some problems implementing it and believed CBC mode to be sufficiently secure Even better would be CWC 57 mode but Bouncy Castle does not offer this Our basis for this prioritization is taken from the Secure Programming Cookbook for C and C 57 Our system uses asymmetric encryption for the voter data all unsigned integers and for encrypting symmetric keys Symmetric encryption is used to encrypt the network traffic in the CryptoCommand The CryptoCommand consists of e An IV unencrypted e A symmetric key asymmetrically encrypted with the receiver s public key so only the receiver can decrypt it with his private key e The inner command to be executed symmetrically encrypted with the symmetric key 27 e A hash of the message asymmetrically encrypted with the private key of the sender so the receiver can decrypt it with the public key of the sender upon arrival Wh
99. is look like when it s asymmetrically decrypted with this key What is the hashed value of this May I have a new randomly generated symmetric key command The initilization vector is this Generate a new initilization vector to be used for symmetric encryption end Page 1 Database Informal 16 05 2012 1 Ru N O N mu 10 12 13 14 15 class chart DATABASE indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation The database layer is responsible for communicating with the database create read update write It can also perform batch operations such as importing and exporting the database query Has this voter received a ballot what does the entire database look like Who is my parent station command This user has received a ballot This user s ballot has been revoked Import this encrypted data into the database constraint After the election has started the number of rows should never change end Page 1 Logger Informal 16 05 2012 class chart LOGGER indexing author Nikolaj Aaes niaa itu dk amp Nicolai Skovvart nbsk itu dk explanation A log is used to track events in the system Hd WO N du d UJ N query What does the entire log look like command Log this message end Page 1 Scanner Informal 16 05 2012 1 class chart SCANNER 2 indexing 3 author Nikolaj Aaes niaa itu dk
100. is using the twelve principles presented in Applied information security A hands on approach 1 which are discussed in section 8 Security We have used the BON design language 33 in our design process to get a complete overview of our application before producing any code We used code contracts 34 to make sure the application behaved as expected as dictated by the Design by Contract principle 35 To improve the modularity of the application we provided interfaces for all the major classes except for Station This makes for easy replacement of parts of the program which might become needed later on We used the Mediator pattern 43 when we implemented the user interface since we wanted it to be easily replaceable with any user interface The only requirement would be to implement the IDvlUi interface to make sure the back end of the system could communicate with the user interface As for the messages sent from machine to machine we used the Command pattern 45 which provided us with an easy way to encapsulate data and instruct the target machine what to do with it 5 3 The main classes To provide an overview of the classes in the application we have created a class diagram which can be found in Appendix 17 2 Class Diagrams along with descriptions of the major classes in the system 5 3 1 Station The Station class is the large back end class that contains the core functionality for the station and manager machines While a station
101. itioning to manipulate the data lt Manipulate person s gt is equivalent to 2 Manipulate person s responsible for partitioning to manipulate the data OR 1 Bribe them 20 000 1 10w 3 2 Force them 0 1 low 4 3 Threaten them 0 1 10w 4 87 Attack pattern Manipulate person s 0 1 low 4 Goal Force one or more people to do what an attacker wants Precondition Targets must be susceptible and the attacker must have the resources necessary Attack OR 1 Bribe them 20 000 1 low 3 2 Force them 0 1 low 4 3 Threaten them 0 1 low 4 Postcondition The targets will now do what the attacker wants Attack pattern Gain access to partitioning machine 0 1 low 4 Goal Gain access to the machine where the full data set of the election is held and is being partitioned for each election venue Precondition Attack OR 1 Be responsible for partitioning 0 1 low 1 2 Manipulate person s responsible for partitioning to manipulate the data lt Manipulate person s gt 3 Manipulate the data without the person s responsible noticing 0 1 medium 1 4 lt Digitally force access gt 5 Physically force entry and the attacker manipulating the data 0 1 medium 3 Postcondition Attacker now has access to all data on the partitioning machine Attack pattern Acquire private key used to decrypt data 0 1 low 4 Goal To acquire the private key used to decrypt voter data such as voter number CPR number and ballot status Precondition Att
102. l threats e The generation of the keys used to encrypt the initial data set and decrypt the final data set should be conducted in a safe location since the acquisition of these could compromise the entire election e The machines used in the election should be dedicated only for the election This should prevent the machines from being compromised prior to the election Alternatively the machines could be reset to factory standards instead of being dedicated In the attack trees the attack pattern Manipulate persons is used repeatedly indicating that this is a weak point in the security structure When in a real life environment it is therefore important to make sure that the election staff is well protected and not likely to receive bribes When the Manipulate persons attack pattern is used it is often to gain access to a certain encryption or decryption key or to the election venue and hardware This is something that is available to the election staff as well and if the adversary knew an insider or was an insider himself the Manipulate persons attack pattern would not be a necessary action for the attack to succeed It is important to notice that the attack trees are devised from an outside adversary s point of view and many other obstacles would be removed as well if the adversary was an insider As an addition to our attack trees we considered using Microsoft s Threat Modeling approach 8 but found the threat rating method to no
103. late 0 1 high 4 OR 1 Manipulate 0 1 high 4 AND 1 Acquire private key used to decrypt the data 2 Acquire public key used to encrypt the data 3 Decrypt data set 0 0 high 5 4 Manipulate data 0 0 high 5 5 Encrypt tampered data set with public key 0 O high 5 6 Replace data 0 1 low 5 2 Replace 0 1 high 4 AND 1 Acquire public key used to encrypt the data 2 Encrypt tampered data set with public key 0 O high 5 3 Replace data 0 1 low 5 2 During the election 0 1 low 4 OR 1 Manipulate the database on all the machines 0 1 medium 4 AND 1 Gain access to all machines 0 1 low 4 OR 1 Physically force access 0 1 low 4 2 Digitally force access Digitally force access 2 Acquire public key used to encrypt the data 3 Acquire the database key 4 Manipulate or add records to the database 0 1 medium 5 2 Gain access to multiple ballots by continuously revoking ballot received 0 1 low 4 AND 1 Gain access to the management machine 0 1 low 4 OR 1 Physically force access 0 1 low 4 OR 1 Manipulate person with access to the manager machine Manipulate person s gt 2 Digitally force access Digitally force access 2 Gain access to all signatures and keys and broadcast revoke commands to all stations 0 1 high 1 3 Prevent people from voting by marking them as having received a ballot 0 1 low 1 AND 1 Identify CPR and voter number combinations 0 1 low 5 OR 1 Acquire voter cards and CPR
104. lection the connection is severed Both systems save their data in simple files By using the SQLite DBMS only a single database file is used for the data This is an idea that KMD had as well and it reduces the complexity of the overall structure Differences The system developed by KMD stores the data in partitions on each machine with a single other machine as backup While storing the data in partitions is not a problem in itself the fact that an adversary would only have to attack two machines to gain control over or destroy an entire partition of the voter data is quite the risk We have chosen to store the data on all the machines thereby minimizing the data loss during a crash The system developed by KMD require the machines involved to have static IP addresses KMD s system requires that each machine has a specified IP address Our system does not require static IP addresses but the DiscoverNetworkMachines method only searches in a specified IP range This is a more flexible solution since no IP configuration is needed The system developed by KMD supports letter votes Our system does not support letter votes but KMD has gone the extra mile and support letter votes with a separate application This enables them to process these votes before the actual election and still merge the letter votes with the data at the election venue The exported data at the end of the election therefore contains all the votes which is desirable 32
105. machine and a manager machine have semantically different meanings in the code the Station class contains functionality for both since a manager machine is merely a station machine with elevated rights and responsibilities As such we have compiled a list of functionality the Station class contains and whether it is used by the manager machine or a station machine e Station 11 Start election for new manager Request a ballot e Manager Add remove stations Transfer manager status to station Check status of stations Start election End election Manually mark selected voter as being handed a ballot in case they lost their voter card 5 3 2 Crypto The Crypto class is responsible for all encryption and decryption related actions It can encrypt and decrypt with both symmetric keys and asymmetric key pairs It is also used to generate the master password and the required key pairs If the encryption and decryption algorithms need to change a new Crypto class can be constructed and used as long as it implements ICrypto 5 3 3 Communicator The Communicator class is responsible for the network communication between machines It both sends and listens for commands and executes each command as it is received If the network protocol needs to change a new Communicator class can be constructed and used as long as it implements ICommunicator 5 3 4 SqLiteDatabase The SqLiteDatabase class fa
106. mp U MN B O SN O UB N B O to 0 N O Uu amp UN oO Revision 334 Author Skovvart Date 2012 05 18 20 06 Message Increased RSA key strength This significantly slows down the constructor speed Revision 333 Author Skovvart Date 2012 05 18 13 59 Message Optimized a contract Revision 332 Author Skovvart Date 2012 05 17 23 43 Message Added a lock on logger to prevent some threading issues in the tests Revision 331 Author Skovvart Date 2012 05 17 19 55 Message Fixed a comment in station made logger commit every entry every time again Revision 330 Author Skovvart Date 2012 05 17 16 59 Message Comitting final contracts test fixes Revision 329 Author Skovvart Date 2012 05 16 15 45 Message Bon compilation fixes Revision 328 Author Skovvart Date 2012 05 16 15 18 Message Updated BON compiled it fixed some comments and some contracts removed Printer from BON Revision 327 Author Skovvart Date 2012 05 15 17 19 Message Redid Station formal and informal documentation added a couple of contracts in Station cs Revision 326 Author Aaes Date 2012 05 15 15 51 Message added comments to all UI classes Revision 325 Author Skovvart Date 2012 05 15 15 43 Message Commented StopListening Revision 324 Author Skovvart Date 2012 05 15 14 47 Message Should now announce to peers joining after the election has started that they should start as well Revision 323
107. n Attacker can execute arbitrary code Attack pattern Acquire the database key 0 0 high 2 Goal Acquire the database password to grant access to the database Precondition The attacker wants to acquire the key used to connect to the local database Attack AND 1 lt Digitally force access 2 Acquire database key from secure memory 0 0 high 2 Postcondition The attacker knows the database key and can access the encrypted data Attack pattern Impersonate other voters 0 1 high 1 Goal Attacker impersonates other voters to gain access to more ballots and therefore more votes Precondition The identification proof must be enough to convince the election officials of the identity Attack OR 1 Acquire CPR number and identification proof 0 1 high 1 AND 1 Manually request election official to confirm the identity and hand you a ballot 0 1 low 5 2 Identify CPR and voter number combinations 0 0 high 1 OR 1 Acquire voter cards and CPR number combination 0 0 high 1 2 Decrypt database 0 1 high 2 AND 1 Acquire private key used to decrypt the data 2 Acquire the database key gt 3 Request ballot at station like any other voter 0 1 low 5 Postcondition Attacker has access to multiple ballots and is able to vote multiple times Attack pattern Access transportation unit and destroy 0 1 low 2 Goal To access the unit e g vehicle which transports the ballots and or data and destroy it Precondition The necessary means to gai
108. n Revision 19 Author Aaes Date 2012 03 27 12 22 Page 19 Revision History 21 05 2012 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 Message camelcase OCD Revision 18 Author Aaes Date 2012 03 27 12 21 Message camelcase OCD Revision 17 Author Aaes Date 2012 03 27 12 19 Message Command formal bon done Revision 16 Author Skovvart Date 2012 03 27 12 09 Message Removed readme textile Revision 15 Author Aaes Date 2012 03 27 12 08 Message Formal BON files added Revision 14 Author Skovvart Date 2012 03 26 15 59 Message Recompiled BON documentation Revision 13 Author Aaes Date 2012 03 26 15 58 Message Additional revisions to the informal BON Revision 12 Author Skovvart Date 2012 03 26 14 11 Message Updated compiled BON documentation Revision 11 Author Skovvart Date 2012 03 26 14 08 Message Revision 10 Author Aaes Date 2012 03 26 14 05 Message more informal BON changes Revision 9 Author Skovvart
109. n access to the transportation unit Attack AND 1 Locate the transportation unit 0 1 low 2 2 Gain access to transportation unit 0 1 low 4 3 Destroy 0 1 low 5 Postcondition Attacker now has access to the goods inside the transportation unit and can destroy it at will Attack pattern Enter election venue and destroy 0 1 low 4 Goal Enter the election venue and destroy physical objects Precondition The attacker must know where an election venue is located and must have the means to destroy the objects Attack AND 1 Gain access to election venue 2 Destroy objects 0 1 low 5 Postcondition The objects are destroyed and must be replaced for the election to proceed Attack pattern Gain access to election venue 0 1 low 4 Goal To gain access to the election venue Precondition Attacker must know the location of the election venue Attack OR 1 Physically force access 0 1 low 4 2 Steal key 0 1 medium 3 3 Be an insider 0 1 medium 1 4 Manipulate an insider Manipulate person s gt Postcondition Attacker has access to the election venue Tree 1 To tamper with the election for personal benefit 0 1 low 4 OR 1 Manipulate the digital data 0 1 low 4 OR 1 Before the election 0 1 low 4 OR 1 During partitioning Gain access to partitioning machine 2 During transportation to election venue 0 1 high 4 OR 1 Exchange the USB device 0 1 high 4 AND 1 Physically acquire the device 0 1 low 4 OR 1 Ste
110. n not provide any guarantees that this was caused by a software error a hardware malfunction or a malicious attack With the current paper based model there are often a few votes unaccounted for compared to the number of people they have marked as having received a ballot and they are ignored i e counted as blank votes There are several solutions to this each with its own drawbacks and advantages First one could ignore the inconsistency and just acknowledge a single data set as being the correct one This is simple and fast but gives no guarantee that the data set is correct Second one could compare the data sets from all the machines and let the majority of identical data sets be considered correct This is a bit more time consuming but the guarantee that over half of the machines would have to be compromised to tamper with the data set is given Third the option to do a re election is present If one were to identify the flaw in the system fix it and redo the election all over a more satisfying result would be achieved This is both expensive and time consuming but would be an ideal solution if a correct data set is a requirement Aegis DVL does not check the data set for inconsistencies since it should never be able to occur If a machine tries to change the ballot status of a voter all the other machines will be updated as well One thing to take notice of is that if a station is removed by the manager it should be apparent to the user th
111. n promote a machine you are not connected to in the ManagerOverviewPage which results in the manager being lost Major Start valg works but the listener on the stations should not be busy executing other commands like the SyncCommand after a public key exchange as it will not receive other commands during execution Major If a station types in the proper password during a public key exchange but the manager cancels then the station will have the manager s address and public key but not the other way around This will make following public key exchange requests fail unless you re create the station Minor ElectNewManagerCommand should never be send to the manager Minor You can only paste in 9 chars and not the 10 of a CPR number in the UI Minor We have on rare occasions experienced this exception on the manager machine The CLR has been unable to transition from COM context 0x1b7ae0f0 to COM context 0x1b7ae340 for 60 seconds The thread that owns the destination context apartment is most likely either doing a non pumping wait or processing a very long running op eration without pumping Windows messages This situation generally has a negative performance impact and may even lead to the application becoming nom responsive or memory usage accumulating continually over time To avoid this problem all single threaded apartment STA threads should use pumping wait primitives such as CoWaitForMultipleHan
112. n the system class UI description A UI is used to interact with human beings The UI must be able to support requirements to be able to interact with the Digital Voter List system end Cluster chart COREDATATYPES indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation Core datatypes used by the digital voter list system Class CIPHERTEXT description CipherText is encrypted data class ASYMMETRICKEY description An asymmetric key can be used for either encryption or decryption of data Class SYMMETRICKEY description A symmetric key can be used for either encryption or decryption of data class MESSAGE description A message contains ciphertext of a symmetric key a message encrypted with the symmetric key and a hash encrypted with the senders public key Used for secure communication class CPR description A CPR number is a number identifying a danish Citizen consisting of the birthdate and a unique identifier class VOTERNUMBER description A voternumber is a unique number used in conjunction with the CPR number to request a ballot class BALLOTSTATUS description A ballot status is used in conjunction with a cpr number and a voternumber and indicates wheither status that indicates whether the ballot has been handed out not handed out or if it is unavailable at the given election venue Class ENCRYPTEDVOTERDATA description Encrypted voterdata is the encrypted combination of CPR
113. nager machine and three station machines must be present Code requirements All of the testing and code requirements were met The system is documented and tested using unit tests black box tests and code contracts The system All of the system requirements were met The system is able to scan and print voter cards it allows the extraction of the full data set at any given time during the execution of the application and it allows voters to use any of the machines in the election venue Secondary goals optional It should be faster to use the system that using the current paper based model We did not test the speed of our system compared to the current paper based system but this could be an important metric when an optimal user interface is constructed We advise that speed should be a part of the user test conducted when testing a new user interface The system should be able to generate a list of all the voters of the election place and whether they have voted or not and print it This requirement was not met and in retrospect it should not have been a goal Our 45 The The Use Use system has had a strong focus on security and all the voter data is encrypted Being able to print all the voter data could be considered a security flaw and private sensitive data such as CPR numbers could needlessly be exposed Nevertheless the PDF generator code is able to generate a list of voter names and voter numbers but this fea
114. nd after the election This could potentially be solved by having the data obfuscated or signed and the deobfuscation password only being exchanged securely when the data is at the election venue e Access to the machines used for the election must be very limited before and after the election It should be impossible for unauthorized personnel to gain physical access to the machines prior to and after the election e The process of identifying voters that lost their voter cards must be very thorough before handing them a ballot to prevent impersonation 23 e Being connected to the Internet can be a huge threat and should be avoided as much as possible e Data should be checked every time it travels from one machine to another to prevent using corrupt or invalid data e The hardware facilitating the network should be under observation during the election to prevent unintended machines from connecting to the network e Connecting to the network of machines running the software should require authentication to make it harder for adversaries to gain access to the network e The less decryption that takes place during the election the better Ideally each machine should only be able to see the data it needs and nothing more thus following the Least Privilege Principle 1 e The election personnel should consist of trusted individuals Even though the software will protect against insider attacks they are still one of the greatest potentia
115. network and the receiver has to type in a password that is shown on the sender s machine The process is repeated the other way around and both machines should know each other s public keys After public keys are exchanged all messages except the message checking if a station is reachable switch to using hybrid cipher encryption that automatically ensure that only the sender and the receiver understand the message During the election there should be taken certain precautions outside of the system The election should make use of the four eye principle 46 making sure that there are at least two people monitoring every station to reduce the chance of insider attacks and to make sure that no unauthorized personnel tampers with the hardware The stations should not be connected to the Internet and the machines external input devices such as the USB slots CD drives etc should be made unavailable The manager machine will initially need to allow one of these options to import the data and the voter data encryption key but it should be made unavailable after initialization To protect against potential errors it would also be ideal if the machines and the router switch ran on an uninterruptible power supply UPS 8 2 1 Input validation Input validation is potentially an important subject especially when working with SQL databases SQL injections are a commonly known problem in many programs especially in web applications The input our s
116. non recoverable fatal problem in the system We approached our logging with a the more the better mindset and chose to log the following things e Every time a ballot status is changed in the database e Every time a command is received or sent over the network e The start and end of the election e Every time the manager announces an event When a ballot status is changed the CPR and voter number of the changed voter is logged as well This could be a potential risk but we make sure that the log is encrypted with the master password and can not be accessed without it By logging as much as possible and using the different levels of urgency we create a log which can be filtered to display the information needed by any user We chose to log as much as possible to prevent future developers from being forced to add more logging statements to the back end themselves 31 Chapter 9 Comparison with KMD s DVL and other related work To compare our system to the system developed by KMD we have listed some of the similar ities and differences between the two systems The comparison is based on the KMD manuals 36 37 38 since we did not get first hand experience with the system Similarities Both systems operate in a closed network during the election Both systems require that there is no access to the internet during the election The system developed by KMD does however use the internet when importing the data but during the e
117. not wireless The unused port in the switch router must be obstructed thus pre venting adversaries from plugging their own machines in and accessing the network Ideally the switch router is in the same location as the manager machine to make monitoring both of them at the same time convenient To avoid that voters or election staff accidentally close the application during the election we have disabled the red x in the upper right corner of the application As an additional security layer we would have liked to implement the application in such a way that it would run as a service and require administrator rights to close it to further increase the security The master password and the decryption key to the data set are each entrusted to a single entity which means that the two entities in question must be trusted Ideally each of these keys would be split into several fragments and each fragment given to a different entity preferably with different stakes in the election Only by using all the fragments at the same time would the key be usable This would place the trust on several entities instead of a single one and make it harder for adversaries to acquire the combined key This is not a practical solution for the master password since you would have several entities typing on the same machine each time a voter has lost his voter card which would be cumbersome But for the decryption key this would be a thing to consider when decrypting the vot
118. null 18 06 exe file Page 2 Revision History 21 05 2012 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 Message Revision 300 Author Aaes Date 2012 05 11 17 30 Message Revision 299 Author Aaes Date 2012 05 11 17 29 Message Revision 298 Author Aaes Date 2012 05 11 17 19 Message Revision 297 Author Aaes Date 2012 05 11 16 12 Message Revision 296 Author Skovvart Date 2012 05 11 14 28 Message Disabled contracts upped the connect time out Revision 295 Author Aaes Date 2012 05 11 14 27 Message Revision 294 Author Skovvart Date 2012 05 11 13 54 Message and the same thing again Revision 293 Author Skovvart Date 2012 05 11 13 51 Message Will no longer attempt to remove peers that aren t added when publickeyexchange fails Revision 292 Author Skovvart Date 2012 05 11 12 36 Message Removed some todo comments Revision 291 Author Skovvart Date 2012 05 11 12 06 Message Final code coverage whoring Revision 290 Author Skovvart Date 2012 05 10 17 48 Message Tests
119. numbers 0 1 low 5 2 Decrypt database 0 1 low 4 AND 1 lt Acquire private key used to decrypt the data gt 2 lt Acquire the database key gt 2 Mark voters 0 1 low 1 OR 1 Gain access to machine s 0 1 low 1 OR 1 The management machine and manually mark voters as having received ballots 0 1 medium 1 2 The station and manually request ballots 0 1 low 1 2 Update database 0 1 high 1 AND 1 Obtain public key 0 1 high 1 2 Obtain database key 0 1 high 1 3 Update the database 0 1 low 5 4 Impersonate other voters lt Impersonate other voters gt 3 After the election 0 1 high 4 OR 1 Before being exported 0 1 high 4 AND 1 Gain access to the manager machine 0 1 low 4 OR 1 Be the election official s 0 1 medium 1 2 Force access 0 1 low 4 OR 1 Physically force access 0 1 low 4 2 Digitally force access Digitally force access 3 Force an insider to grant access Manipulate person s gt 2 Replace or manipulate 0 1 high 4 OR 1 Manipulate 0 1 high 4 AND 1 Acquire private key used to decrypt the data Acquire public key used to encrypt the data Decrypt data set 0 0 high 5 Manipulate data 0 0 high 5 Encrypt tampered data set with public key 0 0 high 5 Replace data 0 1 high 5 2 Replace 0 1 high 4 AND 1 Acquire public key used to encrypt the data 2 Encrypt tampered data set with public key 0 O high 5 3 Replace data 0 1 high 5 2 During transportation 0 1 high 4
120. o KMD s user manuals 36 37 38 we have not split our user manual into sections based on the roles of the people handling the system but instead based on the different parts of the system This is because we believe that any single person can potentially handle the entire system from setup to completion of the election In reality this is limited by the election secretary which is the only person who should hold the master password needed for some of the larger decisions in the election To run the program one must have the appropriate DBMS installed In our case this means that the ADO NET 2 0 Provider for SQLite link found in appendix 17 3 User manual must be installed prior to the running of the application As a second requirement a PDF reader must be installed if the user manual found in the Bruger manual item under the Hj lp menu is to be displayed This is optional although the user should be aware that the user manuals can not be viewed without it In our current solution we want the election secretary to be the only individual who knows the master password to maximize the security By only having one individual that know it we do not need to trust the entire election staff but only a single person However if the master password was to be shared between several individuals one should be aware that entries in the log that could only have been done by an individual possessing the master password can reflect different persons T
121. o exchange the current DBMS the properties of the new DBMS should be considered Some desirable properties are e ACID atomicity consistency isolation durability transactions either through locking or multi versioning e Security layer for encryption e Scalability e Logging framework One might consider a DBMS with a distributed protocol to handle consistency over a network but we have chosen one without it to get a greater degree of control on how the data in synchronized between the machines If a DBMS with a distributed protocol is chosen it needs to have eventual consistency within a time frame depending on the amount of stations to make sure the election machines are consistent between every ballot handed out We suggest an open source system 19 for several reasons an open source DBMS project could be forked to fulfill possible future requirements it would be possible to have a peer review of the crypto layer and other security aspects and it would also be consistent with our own open source project There is nothing preventing the use of a proprietary system though We have provided a list of some of the database management systems that could be usable and what properties they fulfill Database Management Systems Name Developer Open source Cryptolayer ACID Maintained REDIS 23 Salvatore San Fillippo Yes No No Yes MongoDB 21 10gen Yes No No Yes CouchDB 22 Apache Software Foundation Yes No Yes Yes M
122. o the Type Yes None button on the Dat ChoicePage aLoadPage MasterPasswordPage 14 Entering the Master a random generated Yes None 52 voter number and a valid CPR number in the appropriate text boxes Faerdig button 15 Pressing Tilbage on the redirection to the Type Yes None MasterPasswordPage ChoicePage 16 Pressing Naeste on the redirection to the Dat Yes None MasterPasswordPage aLoadPage WaitingForManagerPage 17 While on the Wait A prompt asking for a Yes None ingForManagerPage password to be typed a manager tries to appears If this is cor connect rect a similar prompt appears on the man ager and the password is shown on the station 18 While on the Wait The Page displays the Yes None ingForManagerPage a text Venter p at valget manager is connected starter 19 While on the Wait redirection to BallotRe Yes None ingForManagerPage the questPage election is started 20 Press Tilbage while on redirection to Type Yes None WaitingForManager ChoicePage Page BallotRequestPage 21 Press F rdig with a A prompt saying that Yes None valid voter number and the voter can be handed CPR number in the ap a ballot appears propriate text boxes 22 Press F rdig with an A prompt saying that Yes None invalid voter number the voter can not be and CPR number in the handed a ballot appe
123. ogger and DiscoverNetworkMachines Revision 280 Author Aaes Date 2012 05 09 15 40 Message Added an icon for the program Revision 279 Author Skovvart Date 2012 05 09 14 22 Message Now listens to begin with Revision 278 Author Aaes Date 2012 05 09 14 22 Message Revision 277 Author Skovvart Date 2012 05 09 14 20 Message Revision 276 Author Skovvart Date 2012 05 09 14 18 Message neither can the communicator Revision 275 Author Skovvart Date 2012 05 09 14 16 Message Can t assume that the logger exists when the DB is created Revision 274 Author Skovvart Date 2012 05 09 14 11 Message Logging mostly implemented Revision 273 Author Skovvart Date 2012 05 09 13 24 Message Updated some tests Revision 272 Author Aaes Date 2012 05 09 13 17 Message comments in UIHandler Revision 271 Author Skovvart Date 2012 05 09 13 02 Threading problem Message Some fixes updated tests removed some deprecated constructors Revision 270 Author Aaes Date 2012 05 09 12 27 Message A PDF file called Manual will be opened when the Help gt User Manual is pressed it must be placed in UI bin Debug atm Revision 269 Author Skovvart Date 2012 05 08 16 22 Message Finally found the bug that caused tests to loop forever Revision 268 Author Aaes Date 2012 05 08 15 43 Message comments in UIHandler Revision 267 Author Aaes Page 4 Revision History 21
124. on mech anisms Our system is open source and everyone can examine the code If the security was depen dant on the secrecy of the mechanisms it would effectively have no security at all We have designed mechanisms that depend on the secrecy of generated keys and not knowledge of the mechanisms themselves Compartmentalization Organize resources into isolated groups of similar needs We have divided the code into classes corresponding to their responsibilities We have provided interfaces for some of the more interesting classes which makes it easy to replace and maintain them Minimum exposure minimize the attack surface the system presents to the adversary By providing the minimum amount of opportunities for manual input from anyone and operating in a closed network we strove to minimize the attack surface as much as possible Least privilege any component of a system should operate using the least set of privileges necessary to complete its job We keep all data encrypted during the entire election to prevent anyone even an insider from tampering with the data Decrypted data is never stored and as soon as new data enters the database it gets encrypted By using a master password we ensure that only the appropriate members of the election staff has the privileges to perform certain actions such as marking a voter using only their CPR number Minimum trust and maximum trustworthiness We choose to minimize the trust
125. opposite state You can not start or end an election unless you re in the opposite state Page 1 Station Informal 16 05 2012 51 52 53 54 55 56 57 You can not add or remove a peer unless it s either not in or in the peer list The manager must not be active when attempting to elect a new manager You can not request a ballot for a voter that has already received a ballot or who can not be found in the database You can not revoke a ballot for a voter that has not received ab allot or who can not be found in the database To announce the adding or removing of peers to announce that a ballot has been received or revoked to announce the start or end the election or to promote a new manager you must be the manager The address must never be null nor must the Peer list end Page 2 UI Informal 16 05 2012 1 Ru N un 10 11 12 13 14 15 16 17 18 class chart UI indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation A UI is used to interact with human beings The UI must be able to support requirements to be able to interact with the Digital Voter List system query What is the key the user typed in to respond to the manager initiating a key exchange What is the password the user typed in when a station is replying to a key exchange command Show this password on the manager machine Show this passw
126. ord on a station machine Let the UI know whether or not the voter can receive a ballot Let the UI know that the election has ended Let the UI know that the election has started Let the UI know that this machine is now the manager Let the UI know that it needs to shut down Let the UI know that there are not enough peers to continue execution Let the UI know that there are enough peers to continue execution end Page 1 Command Formal 16 05 2012 O N du bh uU N E HHR RR RR RR Nou RQ N E O static diagram DIGITALVOTERLIST component cluster COMMAND component deferred class ICOMMAND feature deferred Sender IPADDRESS ensure result void end deferred Execute void S STATION require s void end end end end Page 1 Communicator Formal 16 05 2012 WO N du SS uU N H UJ UJ NJ h2 h2 FJ h2 FJ h2 hJ0 IN hJ H H HIP HP RP RP HP RP H HB E 0 N ua ESQ N E 9S AN DU BRWN E O static diagram DIGITALVOTERLIST component cluster COMMUNICATOR component deferred class ICOMMUNICATOR feature deferred IsListening BOOLEAN gt a IPADDRESS require a void end deferred DiscoverNetworkMachines ensure result void end deferred Send void gt C COMMAND target IPADDRESS SEQUENCE IPADDRESS require c void and target void end deferred ReceiveAndHandle void deferred Parent STATION ensure result null end end
127. oters and requires code contracts to be installed This is not part of the user interface because generating and printing voter cards takes place before the election starts and will not be printed at the election venues Every time a voter card is printed it should be saved in an appropriate database There is no reason for this data to be distributed to the election venues since it is not used in the system but the entity printing the voter cards might have a use for it It is recommended to use a scanner with our current user interface since the generated voter cards have barcodes associated with their voter number We tested the system with a Symbol HotShot LS2106 barcode scanner which essentially fires keyboard events when it scans As long as the correct text box has focus the scanning works as intended This scanner was produced in may 2000 and uses a PS 2 keyboard input 5 5 Contract coverage We have used code contracts in our system to ensure that our code will always function as long as the contracts are respected It also makes debugging easier as a failed precondition will stop execution immediately instead of passing potentially bad parameters to other methods The use of preconditions also allow us to ignore a lot of exception throwing code as errors can be made impossible as long as preconditions are abided by The contracts cover the following of our code Contract coverage results Domain Count Total amount of methods 158
128. oticing 0 1 low 4 4 lt Digitally force access gt 5 Physically force entry and the attacker manipulating the data 0 1 low 9 I 3 gt N 3 2 Vote several times without manipulating the digital data 0 1 low 4 AND 1 Physically gain access to ballots 0 1 low 4 2 Force election officials to accept them Manipulate person s gt Tree 2 To destroy the election 0 1 low 4 OR 1 Physically destroy the storage units when being transported 0 1 low 2 OR 1 Before the election Access transportation unit and destroy 2 After the election Access transportation unit and destroy 2 Destroy the election stations 0 1 low 4 OR 1 Before the election Enter election venue and destroy 2 During the election Enter election venue and destroy 3 Destroying ballots 0 1 low 4 OR 1 Before election 0 1 low 4 OR 1 When being transported to election venue Access transportation unit and destroy 2 At the election venue 0 1 low 4 AND 1 Gain access to election venue 2 Destroy ballots 0 1 low 5 2 During the election Enter election venue and destroy 3 After the election 0 1 low 4 OR 1 At the election venue Enter election venue and destroy 2 During transportation Access transportation unit and destroy 3 At tallying place 0 1 low 3 AND 1 Locate tallying place 0 1 low 3 2 Gain access to tallying place 0 1 low 4 3 Destroy 0 1 low 5 4 Prevent people from voting at the election venue
129. possible to enter a voter number and a CPR number It is also possible for the manager machine to remove or add additional stations on this screen When a voter enters his voter number and CPR number and pushes the F rdig button the system checks whether he is eligible for a ballot or not If a voter has lost his voter card the election secretary can mark a voter as having received a ballot using just his CPR number and the election venue master password When the election ends all the stations close their application and the manager machine can 10 export the data to a file location The exported data is still encrypted and can only be decrypted by the holder of the initial decryption key that was generated with the voter data encryption key As a rule of thumb the system was designed to shut down the election if the suspicion of an attack is raised Since no guarantees can be given about a data set that was potentially a victim of an attack the risk is too high to continue the election If the manager machine becomes unreachable an election for a new manager will start and an active station will be promoted to be the new manager when it ends This promotion can also be done through the manager s user interface If a station becomes unreachable it will be removed from the list of active machines the other machines know 5 2 Design Choosing the right security mechanisms was a major part of our design decisions and we ap proached th
130. ppears in the text box 31 Press the Eksporter you can not press the Yes None button with no desti Eksporter button nation selected in the EndedElectionPage 32 Press the Eksporter The data is exported to Yes None button with a desti the selected destination nation selected in the EndedElectionPage OverviewPage 33 Press the Opdater but A progress bar appears Yes None ton in the Overview indicating that the list Page is updating When it is done the list is updated 34 Press the Opdater But the old update is can No a ObjectDisposedEx ton in the Overview celed and a new update ception is thrown Page while it is updat of the list starts ing 35 Press the Tilbage but redirection to the Dat Yes None ton in the Overview Page aLoadPage 54 36 Press the Tilf j button Nothing happens Yes None with nothing selected in the OverviewPage 37 Press the Fjern button Nothing happens Yes None with nothing selected in the OverviewPage 38 Press the Tilf j button Nothing happens No an Exception is thrown with a station you are already connected to selected in the OverviewPage 39 Press the Fjern button Nothing happens Yes None with a station you are not connected to se lected in the Overview Page 40 Press the Tilfoj button a password appears on Yes None with a station you are the screen and a prompt not connected
131. practical convenience and chose to have the set up on the day of election The system developed by KMD is split into two different applications One for importing data and configuring the system and one for the election itself This seems like an unnecessary separation of two tasks that are quite closely coupled It does makes some sense in KMD s system because they wanted to have the system set up a day in advance If the person assigned to the set up process could import the data and configure the machines ahead of time he might be able to avoid some problems The system developed by KMD requires that the configuration files are moved by USB device The configuration files generated by the importing application must be moved to the man ager machine of the election application and put in a specific folder T his seems unnecessary error prone and cumbersome and could easily be solved with an importer in the user in terface The system developed by KMD uses the Internet to import data The system uses a technology called CAP IP to download the data to the machines While we do not doubt their intentions we wanted to reduce the attack surface as much as possible in our system so we have chosen the data to be transported to the election venue via a portable medium The system developed by KMD allows machines to continue the election autonomously if the network should malfunction While this solution gives a great degree of convenience it decreases
132. qlite dotnet2 on 18th May 2012 48 What is object relational mapping ORM retrieved from http searchwindevelopment techtarget com definition object relational mapping on 18th May 2012 49 The GNU Privacy Guard retrieved from http www gnupg org on 18th May 2012 50 What is SSL SSL Certificate Basics retrieved from http www sslshopper com what is ssl html on 18th May 2012 51 The Legion of the Bouncy Castle C Cryptography APIs retrieved from http www bouncycastle org csharp on 18th May 2012 52 RSA Algorithm retrieved from http www di mgt com au rsa alg html on 18th May 2012 53 Optimal Asymmetric Encryption How to Encrypt with RSA Mihir Bellare Phillip Ro gaway Springer Verlag 19 nov 1995 retrieved from http cseweb ucsd edu users mihir papers oae pdf on 18th May 2012 54 AES Explained retrieved from http x n20 com aes explained on 18th May 2012 55 Secure Programming Cookbook for C and C section 5 4 3 2 Matt Messier John Viega O Reilly July 2003 56 PKCS 7 Cryptographic Message Syntax retrieved from http tools ietf org htm1 rfc2315 on 18th May 2012 57 Secure Programming Cookbook for C and C section 5 4 Matt Messier John Viega O Reilly July 2003 58 Recommendation for Key Management Part 1 General Revised Elaine Barker William Barker William Burr William Polk Miles Smid NIST Special Publication March 2007 retrieved from h
133. quirements e Features Must be able to register when a voting ballot has been handed out and prevent it from happening multiple times Must be able to confirm whether a voter is eligible to be handed a ballot based on a CPR number and a voter number Must support a management machine with elevated privileges Must have a graphical user interface At least the management machine must be able to display relevant data about the election and status of the stations e Code requirements Unit tests must cover at least 9096 of the station manager code 9096 of the code of the database layer 9096 of the code of the crypto layer 9096 of the core data types XK X X X Other tests must include The scanner The printer The user interface XK XX X X The communication layer Must use code contracts Must be thoroughly documented The system Must be able to recover from common network errors Must be able to track if a voter card has been printed for a person Must allow a voter to use any of the stations at the election place Must allow extraction of the full data set on at least the management machine at any given time during the election Must be able to generate voter cards Must be able to scan voter cards Requires at least four machines to operate of which one is a management machine Requires that adding or removing a station mus
134. r link http get adobe com reader or another PDF reader on each machine The user manual in the program is a PDF file and Adobe acrobat reader is able to display it Make sure that each machine is in the 192 168 0 1 192 168 255 255 IP range When using this application for the first time Windows will ask you if you want to allow Aegis DVL to pass through your firewall You need to allow this Start the Digital Voter List application on each of the machines You are now presented with this screen r al J Aegis DVL e E File Help Vaelg type for denne maskine Station Manager Afslut S 4 Choose Manager on the manager machine and Station on all the station machines 67 Station usage 1 After you have selected Station you are presented with this page r J Aegis DVL EI File Help Venter p Manager This screen is displayed until a manager connects 2 When a manager connects a password is shown on his screen and you are presented with this screen r x Ez 44 Accept Manager Indtast kodeord vist p managerens sk rm 192 168 1 10 68 Type the password displayed on the manager in this window and press OK 3 When the password has been accepted the reverse process begins Now a password is displayed on your screen like this J Aegis DVL e G x4 Filer Hj lp Indtast dett
135. racle Database PL SQL Packages and Types Reference 10g Release 2 10 2 Part Number B14258 02 retrieved from http docs oracle com cd B19306 01 appdev 102 b14258 d_crypto htm on 12th March 2012 4T 11 Database Encryption in SQL Server 2008 Enterprise Edition Sung Hsueh Microsoft February 2008 retrieved from http msdn microsoft com en us library cc278098 v Sq1 100 aspx on 12th March 2012 12 Protect Sensitive Data Using Encryption in SQL Server 2005 Don Kiely Mi crosoft December 2006 retrieved from download microsoft com download 4 7 a 47a548b9 249e 484c abd7 29f31282b04d SQLEncryption doc on 12th March 2012 13 11 13 Encryption and Compression Functions retrieved from http dev mysq1l com doc refman 5 5 en encryption functions html on 12th March 2012 14 Encrypting an Access Database Mike Chapple retrieved from http databases about com od productinfo a encryption htm on 12th March 2012 15 PostgreSQL 8 1 23 Documentation 16 6 Encryption Options retrieved from http www postgresql org docs 8 1 static encryption options html on 12th March 2012 16 The SQLite Encryption Extension SEE retrieved from http www hwaci com sw sqlite see html on 12th March 2012 17 SQLite Home Page retrieved from http www sqlite org on 18th March 2012 18 How to protect data in Firebird database retrieved from http www firebirdfaq org faq160 on 12th March 2012 19 Adaptive Server Ent
136. re password void and validMasterPassword password and Database get cpr password NOTRECEIVED end BallotReceived void voterNumber VOTERNUMBER gt cpr CPR require Database get voterNumber cpr NOTRECEIVED ensure Database get voterNumber cpr RECEIVED end BallotReceivedCPROnly void Cpr CPR password STRING require password void and validMasterPassword password and Database get cpr password NOTRECEIVED ensure Database get cpr password RECEIVED end RevokeBallot void voterNumber VOTERNUMBER Cpr CPR require Database get voterNumber cpr RECEIVED ensure Database get voterNumber cpr NOTRECEIVED end RevokeBallotcCPROnly void Cpr CPR password STRING require password void and validMasterPassword password and Database get cpr password RECEIVED ensure Database get cpr password NOTRECEIVED end AnnounceAddPeer void newPeerAddress IPADDRESS newPeerKey ASYMMETRICKEY require IsManager and newPeerAddres void end AnnounceRemovePeer void removePeerAddress IPADDRESS require IsManager and removePeerAddress void end PromoteNewManager void newManagerAddress IPAddress require IsManager and newManagerAddress void end AnnounceStartElection void require IsManager and not ElectionInProgress ensure ElectionInProgress end AnnounceEndElection void require IsManager and ElectionInProgress ensure not
137. rent validMasterPassword pswd and GetBallotstatuscPROnly cpr pswd BALLOTSTATUS Unavailable and bs BALLOTSTATUS Unavailable and GetBallotstatusCPROnly cpr pswd BALLOTSTATUS NotReceived and bs Ballotstatus Received or GetBallotStatusCPROnly cpr pswd BALLOTSTATUS Received and bs Ballotstatus NotReceived ensure GetBallotstatusCPROnly cpr pswd bs end deferred AllData SEQUENCE ENCRYPTEDVOTERDATA ensure result void end deferred Parent STATION ensure result void end deferred Import void data SEQUENCE ENCRYPTEDVOTERDATA require data void end end end Page 1 Database Formal 16 05 2012 54 end Page 2 Logger Formal 16 05 2012 O N du bh Uu N pp RR RR RR CRR RR o N KK Q NE O static diagram DIGITALVOTERLIST component cluster LOGGER component deferred class ILOGGER feature deferred Log void message VALUE level VALUE require message void end deferred Export SEQUENCE LOGENTRY ensure result void end end end end Page 1 Scanner Formal 16 05 2012 OD N DUN SS uU N pp RR NBEO static diagram DIGITALVOTERLIST component cluster SCANNER component deferred class ISCANNER feature deferred scan VOTERNUMBER end end end Page 1 Station Formal 16 05 2012 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
138. s not have an end to end voter auditable trail 39 which allows for voters to verify that their voter has been counted correctly or in our case that the voter has been marked as having received a ballot Systems like Punchscan 40 and Scantegrity 41 implement this and this should be considered for further development of our system although focus on a trail for the votes is more interesting than the voter cards One can argue that if there is a trail to the vote a trail to the voter card is redundant Another consideration is whether or not to have actual voting machines dedicated to only the task at hand Voting machines are available from vendors such as Dominion Voting 42 but can be expensive compared to a normal PC The advantages of using a voting machine is that it is harder to compromise since the user interface and functionality is smaller than that of a PC The disadvantages is the price and the fact that updates to these machines comes from a single commercial vendor who might not provide transparency for their system This could make it hard to verify whether or not the system works as intended for anyone outside the vendor company Compared to the system developed by KMD our system has less restrictions and a more robust way of storing the voter data While the KMD system might have some practical aspects our system lacks the robustness and security of our system is superior 34 Chapter 10 User Manual and Users Contrary t
139. s the command to the newly elected manager e When a station fails to send a command to another station only likely when it is announc ing to other stations that they should elect a new manager it simply removes the peer from its peer list 8 3 1 Electing a new manager If the manager machine crashes during the election the system is able to recover by electing another station to be the new manager Since a crash can potentially happen at any time there are some required properties the manager election algorithm must have e It must be able to elect a unique leader that every station agrees on e It must be able to elect the same leader if several elections are initiated provided the same machines are part of the initiated elections e It must terminate e It must be relatively fast so it does not impact the users To satisfy these requirements we have implemented an algorithm where the station with the highest identifier e g IP address is elected as manager If the station with the highest identifier is unreachable the station with the second highest identifier is elected and so on This fulfills all 28 the required properties of our manager election algorithm and gives us a worst case and average case complexity of O n This solution requires that each station has a list of all the other stations and their identifiers that the identifiers do not change during the election and that the identifiers are consistent Algori
140. sword STRING require password void end ShutDownElection void ExchangePublicKeys void address IPADDRESS require address void and StationActive address end StartListening void require not Listening ensure Listening end StopListening void require Listening ensure not Listening end StartElection void require not ElectionInProgress ensure ElectionInProgress end EndElection void require ElectioninProgress ensure not ElectioninProgress end AddPeer void address IPADDRESS key ASYMMETRICKEY require address void and not Peers Contains address ensure Peers Contains address end RemovePeer void address IPADDRESS require address void and Peers Contains address ensure not Peers Contains address end StartNewManagerElection void ElectNewManager void require not StationActive Manager ensure Manager old Manager end RequestBallot void voterNumber VOTERNUMBER gt cpr CPR require Database get voterNumber cpr NOTRECEIVED end RequestBallotCPROnly void Page 2 Station Formal 16 05 2012 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 137 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 Cpr CPR password STRING requi
141. systemets Master kodeord ffiuuog YI Kun valgsekret ren m kende dette og det vil ikke blive vist igen Tilbage N ste This window displays the master password It should only be read by the election secretary and is never shown again It is used to start an election end an election register a voter only with his CPR number and access the log database 2 When you press N ste you are presented with the Data Load Page F J Aegis DVL arry PE U Valg data C Users Skovvart Documents My Dropbox Bachelor Proje Gennemse i j Election public key C Users Skowvart Documents My Dropbox Bachelor Proje From here you can choose the file location of the voter data the system needs to import 71 and the encryption key for the voter data in question When you have found these press N ste 3 You are now presented with this page r J Aegis DVL balba Filer Hj lp IP Adresse Tilsluttet 192 168 1 13 I E mie titi tiem start Valg From here you have several options Opdater updates the list of stations you can connect to Tilbage takes you back to the page showing the data loading It generates a new master password which should be used henceforth Tilfoj attempts to connect to the station you have selected A password appears on the page like this 72 KJ Aegis DVL utm arima Filer Hj lp Indtast dette ko
142. t If he is an election official should hand him a ballot The system needs to be distributed because the data needs to be shared between the ma chines For a discussion on how this is achieved see section 6 Data The sharing itself is done through the local network and this could potentially be a security concern We require that users of the system makes sure they are connected to a closed wired network during the entire election This is discussed further in section 8 Security Since the data the system is handling is personal sensitive data encryption of the data is essential We strove to have the data encrypted at all times to make sure that both outside and inside attacks would be as hard as possible This applies to the databases containing the voter data and the logs as well as the data being transmitted over the network To use the system one must have an encrypted data set of the voters that are eligible to vote at the election venue and the encrypted key used This data is loaded into the system on the manager machine and when it connects to a station it is distributed to that station The manager machine generates a master password which is used to start an election end an election mark a voter as having received a ballot with his CPR number only and access the log database When the manager machine has connected to the desired stations it can start the election When this is done all the machines switch to a screen where it is
143. t CPR indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation A CPR number is a number identifying a danish citizen consisting of the birthdate and a number query What does this CPR number look like constraint The numeric value of a CPR number is always greater than zero end Class chart VOTERNUMBER indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation A voternumber is a unique number used in conjunction with the CPR number to request a ballot Page 1 Core Datatypes 16 05 2012 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 query what does this voter number look Tike end class chart BALLOTSTATUS indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation A ballot status is used in conjunction with a cpr number and a voternumber and indicates wheither status that indicates whether the ballot has been handed out not handed out or if it is unavailable at the given election venue query what is the status of this ballot constraint A ballot status is always either handed out not handed out or not available end class chart ENCRYPTEDVOTERDATA indexing author Nikolaj Aaes niaa itu dk Nicolai Skovvart nbskGitu dk explanation Encrypted voterdata is the encrypted comb
144. t be approved by at least the man agement machine Secondary goals optional It should be faster to use the system than using the current paper based model The system should be able to generate a list of all the voters of the election place and whether they have voted or not and print it The graphical user interface should be easy to learn and use The system should support letter votes Use a data flow analysis tool to reason about correctness of the data flow in the system Use an analysis tool to reason about the cryptographic protocol used By implementing a solution that fulfills these goals we made sure we had a well tested docu mented and robust system that enabled the current work practices to be carried out in a secure manner while still being conducted inside the boundaries of the law Ideally the unit tests should cover 10096 of the code but as some code is hard or impractical to test like the user interaction and some netcode we lowered the requirements to 9096 code coverage to provide some leeway Chapter 5 Design and Architecture 5 1 Overview The system we have designed consists of one manager machine and at least three station ma chines with the ability to add more Each of the machines will have an attached barcode scanner that enables voters to scan their voter cards A voter can type his CPR number into the system and scan his voter card which makes the system check if he is eligible to receive a ballo
145. t suit our needs and that the information we would have gained from using this method was already largely covered by the attack trees 8 2 Protection The system uses multiple layers of protection e Symmetric encryption of the log database e Symmetric encryption of the voter data database e Asymmetric encryption of the voter data the voter number CPR number and ballot status e Obfuscation of public keys during key exchange to prevent man in the middle attacks 24 e Hybrid cipher encryption of most commands transmitted over the network The symmetric encryption of the log and voter data database is handled by our database implementation using SQLite as SQLite has an optional crypto layer The log database is en crypted with the master password so no logs are lost due to system crashes since the password is not lost if a crash occurs This does enforce a higher reliance on the integrity of the election secretary The voter database password is randomly generated and known only by the machine The voter data is asymmetrically encrypted before arriving at the election venue together with the public key that was used to encrypt the data set Every station has it own public private key pair and it shares the public key with all of its peers During public key exchange we need to be able to verify that the received request is actually from whom it claims To do this the public key is obfuscated before being transmit ted over the
146. tboxTex DoneButtonClick IsNumeric PastingHandler PreviewTextinp Y CancelButtonCl 4 CheckMasterPa Y OkButtonClick 0 PwTextboxPass Aegis DVL User interface Manager AcceptManager Class Window T El Methods 79 AcceptManage Y CancelButtonCl Y OkButtonClick Y PwTextboxPass Class Window E Methods Y ExitClick Y ExportDataClick Y HelpClick Y MarkVoterClick 3 OnClosing 4 StationWindow Page i Methods Y ExitButtonClick Y ManagerButton Y StationButtonCl 5Q TypeChoicePage BallotCPRReque Class Window T El Methods BallotCPRRequ BallotResponse CancelButtonCl CPRTextboxTex DoneButtonClick IsNumeric PastingHandler PreviewTextinp CheckMasterPas A Class gt Window T El Methods Y CancelButtonCl 5 CheckMasterPa Y OkButtonClick e PwTextboxPass BallotRequestPa Class Page T El Methods BallotRequestP BallotResponse BecomeManager CheckValidityB EndElection IsNumeric PastingHandler PreviewTextinp VoterCardNum Class gt Page E Methods Y BackButtonClick 5Q MasterPasswor Y NextButtonClick 5 EndedElectionP Y ExportButtonCli Y FileBrowseButt AnnounceEndEl BallotRequestR CreateNewStati DiscoverPeers DisposeStation ElectionEnded ElectionStarted EnoughPeers EnoughStations ExchangeKeys
147. te sendTo 0 loop notifyStations updateDB sender 1 STATIONAMOUNT sender sendTo sendTo STATIONAMOUNT confirmVoter voters managerVoter voters managerVoter true stationVoter managerVoter handOutBallotFromStation sender 81 r 29 C Users Nikolaj Documents My Dropbox Bachelor Project Bachelor UPPALLxml UPPAAL Fil Rediger Vis Funktioner Indstillinger Hj lp s amp m 3x J Beam mm amp gt o bool 8oters VOTERAMOUNT int id 4 Erklaeringer idle updateDB id update handOutBallotFromStation id handOutBallotFromStation id ballotsHandedOut stationVoter voters stationVoter true handoutBallot 82 tU C Users Nikolaj Docume ES V P slor Pro PALL BEEE Fi Rediger Vis Funktioner Indstillinger Hj lp Babia Gir Ra gt o S Station E S Manager a StationListener 4 Systemerklaeringer Y Place global declarations here The amount of stations in the model const int STATIONAMOUNT 3 The amount of voters in the model const int VOTERAMOUNT 3 types used for verification and channels typedef int 0 STATIONAMOUNT 1 chan t typedef int 0 VOTERAMOUNT 1 voter t channels urgent chan requestUpdate urgent chan updateDB chan t
148. te 2012 03 29 15 06 1428 Message Most of station done Need to update BON still 1429 1430 Revision 49 1431 Author Skovvart 1432 Date 2012 03 28 16 19 1433 Message Updated Message and BON to include an IV 144 1435 Revision 48 1436 Author Skovvart 143 Date 2012 03 28 15 56 1438 Message Recompiled BON 1439 1440 Revision 47 1441 Author Skovvart 144 Date 2012 03 28 15 54 1443 Message Readding commands to solution after conflict 144 144s Revision 46 1446 Author Skovvart 144 Date 2012 03 28 15 51 1448 Message Added Commands folder and ICommand Updated BON very very slightly 1449 1450 Revision 45 1451 Author Aaes 1452 Date 2012 03 28 15 46 1453 Message added BON documentation to the Communicator 1454 1455 Revision 44 1456 Author Skovvart 1457 Date 2012 03 28 15 41 1458 Message Updated compiled bon added bon compile commands in compilebon txt 1459 1460 Revision 43 1461 Author Skovvart 1462 Date 2012 03 28 15 25 1463 Message Updated compiled BON 1464 1465 Revision 42 1466 Author Aaes 1467 Date 2012 03 28 15 17 1468 Message added a method to discover all the machines connected to the same network in the workgroup WORKGROUP 1469 1470 Revision 41 1471 Author Skovvart 1472 Date 2012 03 28 15 10 1473 Message Crypto documentation updated 144 1475 Revision 40 1476 Author Skovvart 147 Date
149. ter Ant i voterConfirmed false for i 0 i lt VOTERAMOUNT i if voters i voterConfirmed true 85 Fil Rediger Vis Help Babia AN o Navn Station Parametre bool amp voters VOTERAMOUNT intid Place local declarations here voter is the voter number of the person wanting to vote here 0 1 2 int voter 0 voterConfirmed is whether the voter has already voted in the local d bool voterConfirmed void checkVoter Ant i voterConfirmed false for i 0 i lt VOTERAMOUNT i if voters i voterConfirmed true 86 17 5 Attack trees Attack trees as described by Schneier in the notation described by Moore et al with the addition of using lt Attack pattern name gt to indicate the use of attack patterns in the attack tree This should make the attacks trees less cluttered and make them easier to investigate When the notation is used in an attack tree the attack pattern can be substituted in for the identifier We have also added a parentheses at the end of each action indication the cost of the action in Danish kroner the number of people required to carry out the action the technical skill needed to carry out the attack high medium or low and the likelihood of the attack rated from 1 to 5 where 1 is very unlikely and 5 is very likely Example 2 Manipulate person s responsible for part
150. text box the voter can be handed a ballot appears after you have typed the mas ter password 56 55 Press Kun CPR with an A prompt saying that Yes None invalid CPR number in the voter can not be the appropriate text box handed a ballot appears after you have typed the master password 56 Press F rdig with no You can not press the Yes None CPR number in the ap Kun CPR button propriate text box 57 Press Kun CPR with You can not press the Yes None a valid CPR number Kun CPR button and a in the appropriate text label showing that not boxes but not enough enough stations are con stations are connected nected appears 58 Pres the Opdater A progress bar appears Yes None button in the Man indicating that the list agerOverviewPage is updating When it is done the list is updated 59 Press the Opdater the old update is can No a ObjectDisposedEx Button in the Man celed and a new update ception is thrown agerOverviewPage of the list starts while it is updating 60 Press the Tilf j button Nothing happens Yes None with nothing selected in the ManagerOverview Page 61 Press the Fjern button Nothing happens Yes None with nothing selected in the ManagerOverview Page 62 Press the Tilfoj but Nothing happens No an Exception is thrown ton with a station you are already connected to selected in the Man agerOverviewPage 63 Press the Fjern
151. the PGP and GPG solution If we operate in a closed network the certificate authority must be in the same closed network for us to access it We do not want any machines we do not control ourselves in our network which means we have to control the certificate authority ourselves This comes down to trusting the certificates we made ourselves essentially trusting that we are trustworthy which does not provide any security 8 2 3 Cryptography Our cryptography is implemented using Bouncy Castle s 51 C implementation For asym metric encryption we use RSA 52 Input byte arrays are padded with a 1 byte to prevent data loss Other padding schemes were tried such as OAEP 53 Optimal Asymmetric Encryp tion Padding but they made encrypted data incomparable which was needed for the database We did not deem it a big problem as all asymmetrically encrypted data should be unique CPR numbers are unique voter numbers are unique and the ballot status converted to an unsigned integer is added together with the CPR number before being encrypted making it unique A ballot status added together with a CPR number is potentially not unique but it has different meanings RSA keys are generated using Bouncy Castle s RsaKeyPairGenerator with 3072 bit strength RSA claims that 1024 bit keys are likely to become crackable between 2006 and 2010 and that 2048 bit keys are sufficient until 2030 An RSA key length of 3072 bits should be used if security is requ
152. the security of the system greatly If a machine is not connected to the network there is no control with the data set on that machine An attack would only have to compromise that single machine to produce an inconsistent data set after the election has ended In our opinion KMD would have been better off if they had chosen a solution where the machine that loses the connection to the network should be excluded from the election 33 The system developed by KMD has two different levels of ambition for handling errors This is an interesting notion and shows that KMD has a realistic view of how election venues differ from each other Ideally every venue would adhere to the high level of ambition but in reality this is not possible Our system does not have such a notion but it would be a consideration for further development The system developed by KMD only requires that the election secretary logs into the system before the ballot statuses of the voters can be changed This presents a potential security risk If we assume that the election secretary logs into the system at the start of the election and then later needs to get a cup of coffee nothing is stopping anyone from editing the statuses of the voters during that time We have chosen to have the election secretary type the master password each time the ballot status of the voter needs to be changed While this might be considered an inconvenience it increases the security Our system doe
153. thm 3 Elect a new manager Require IsActive CurrentManager check if the manager is reachable 1 Le 2 L Add IP add the IP address of this machine since it is not a part of the Peer list 3 for all Peers do 4 if IsActive Peer then 5 L Add Peer 6 end if 7 end for 8 Sort L by IP Address 9 return L First the highest IP address would be the first element in L When designing this we considered two alternatives Franklin election algorithm Average complexity O n log n worst case complexity O n This algorithm is a ring election algorithm where each node sends its identity to its two adjacent neighbors compares its identity with the nearest active neighbors identities and if its identity is not the largest the node becomes passive It repeats this until the node with the largest identity receives its own message 3 Hirschberg Sinclair algorithm Average complexity O n log n worst case complexity O n log n This algorithm is also a ring election algorithm and works much like the Franklin algorithm It operates in waves where each node tries to become the leader by sending a wave k out if it is the leader when the wave returns it proceeds to the next wave k 1 This is repeated until only one node is left which is then elected the leader 4 The best case scenario for our algorithm O 1 occurs if the only machine that crashes is the manager machine If we were to use the Franklin algorithm this would
154. to se to type in this password lected in the Overview appears on the station Page 41 A station replies to your a prompt appears on Yes None request to add it in the your screen and if you OverviewPage type in the correct pass word the station ap pears as connected in the list 42 Press the Fjern button The station appears as No while it is removed it with a station you are not connected in the list appears in the list as not connected to selected in connected only after the the OverviewPage list has been updated 43 Press the Start Valg a box appears telling Yes None button in the Overview you that you can not Page while you are con start the election with nected to an amount of out connecting to more stations less than the re machines quired amount 44 Press the Start Valg redirection to the Man Yes None button in the Overview Page while you are con nected to the required amount of stations or more agerOverviewPage All the connected stations redirected to the Bal lotRequestPage ManagerOverviewPage 55 45 Press F rdig with a A prompt saying that Yes None valid voter number and the voter can be handed CPR number in the ap a ballot appears propriate text boxes 46 Press Fardig with an A prompt saying that Yes None invalid voter number the voter can not be and CPR number in the handed a ballot appears
155. tself and one or more backups of the other stations The manage ment machine can have data sets like in the second solution This solution improves on the previous solution by having a more robust design In this solution a machine can crash without the loss of data since a backup is always kept on another machine This increases the network traffic but leaves the full data set partitioned making it harder for adversaries to obtain it The management machine has the full data set and the stations contain no data This solution focuses on storing as little data as possible on the stations Since the stations are the most vulnerable machines as they are handled by the voters they contain no data at all This is somewhat network traffic intensive for the manager compared to the other solutions since every update is sent to the manager who then updates the database It is also quite a dangerous solution since the manager machine becomes a single point of failure If it crashes the entire election data is lost Against adversaries this is both advantageous and disadvantageous since the stations have no data that can be obtained but the manager machine has the full data set If the adversary is aware that the data is located on the manager machine only he has no need to attack the stations A separate database is located in the election venue and the management machine takes the role as a proxy to facilitate communication between stations and the data
156. ttp csrc nist gov publications nistpubs 800 57 Sp800 57 Parti revised2 Mar08 2007 pdf on 21th May 2012 59 How secure is AES against brute force attacks Mohit Arora retrieved from http www eetimes com design embedded internet design 4372428 How secure is AES against brute force attacks on 21th May 2012 60 OpenSSL The Open Source toolkit for SSL TLS retrieved from http www openssl org on 22th May 2012 61 OpenSSL NET retrieved from http openssl net sourceforge net on 22th May 2012 50 Chapter 17 Appendix 17 1 User interface tests UI Tests No Task Expected Behavior Did it behave as ex Errors pected TypeChoicePage 1 Push the Station button Redirection to the Wait Yes None on the TypeChoicePage ingForManagerPage 2 Push the Manager but Redirection to the Mas Yes None ton on the TypeChoi terPasswordPage cePage 3 Push the Afslut button The application closes Yes None on the TypeChoicePage Menus 4 Choose User manual un the user manual opens Yes None der the Help menu as a pdf file 5 Choose Exit under the A prompt asks for the No The master pass File menu master password and word is always be the application closes if false if you are in it correct TypeChoicePage Wait ingForManagerPage MasterPasswordPage and DataLoadPage This is becsuse the station object have not been initialized 51
157. ture is never used graphical user interface should be easy to learn and use We did not test the usability of the user interface since it is only meant for demonstration purposes If a new user interface is created there should be a focus on the ease of learning and ease of use system should support letter votes This requirement was not met but the possibility for gathering the letter votes beforehand and passing the voter data to our system is present thereby eliminating the need to merge the data later on However this would require that the letter votes were partitioned in the same way as the voter data for each election venue a data flow analysis tool to reason about correctness of the data flow in the system We used the model checking tool UPPAAL 28 to reason about the synchronization algo rithm in the system UPPAAL could also be used to reason about additional parts of the system to ensure its correctness an analysis tool to reason about the cryptographic protocol used This requirement was not met but would be a great addition to the security guarantee the system provides 46 Chapter 16 References 1 Applied information security A hands on approach David Basin Patrick Schaller Michael Schl pfer Springer Verlag Berlin Heidelberg 2001 Distributed Algorithms Nancy A Lynch Morgan Kaufmann Publishers Inc 1996 Leader Election Algorithm in Anonymous Rings Franklin Goes Probabilistic Rena Bakhshi
158. types password is now dots instead of letters Page 11 Revision History 21 05 2012 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 Revision 150 Author Skovvart Date 2012 05 01 16 00 Message Updated Dispose to check that Logger and Crypto are only disposed when set Revision 149 Author Skovvart Date 2012 05 01 15 58 Message ValidMasterPassword checks for null Rarely relevant but can cause exception in UI otherwise Revision 148 Author Aaes Date 2012 05 01 15 57 Message when the master password is check the cancel button no longer pops up a prompt saying incorrect password Revision 147 Author Aaes Date 2012 05 01 15 53 Message Check master password dialog changes Revision 146 Author Skovvart Date 2012 05 01 15 44 Message Always override database Revision 145 Author Aaes Date 2012 05 01 15 43 Message moved a statement Revision 144 Author Skovvart Date 2012 05 01 15 35 Message Revision 143 Author Aaes Date 2012 05 01 15 29 Message You can now choose All files in the dataload page Revision 142 Author
159. umber or just the CPR number provided you know the master password The only difference between the right side of the screen and the previous window is that the Start Valg has been replaced by Afslut Valg which lets you end the election pro vided you know the master password When this is pressed the election ends the station 74 machines closes their applications and you are presented with this page Valg destination 6 Here you can export the voter data to a destination of your choice Other At any time in the program you can choose Marker v lger Eksporter Data or Afslut from the Filer menu or Bruger manual from the Hj lp menu Marker vaelger Eksporter data Afslut e Marker v lger opens this dialog 75 Y CPR Lo 2 lt Here you can mark a voter with only their CPR number provided you know the master password After you have entered the CPR number you are asked to enter the master password in this window Indtast Master Kodeordet When this is done you can press OK and one of the following dialogues is shown 76 Giv ikke stemmeseddel 28 This indicates that the voter is either not eligible to vote at this venue or that he has already been handed a ballot Giv stemmeseddel M iem m A Vaelgeren 250001 M gives en stemmeseddel L This indicates that the system has accepted the voter number and CPR number and
160. urce replacement for the propri etary expensive Digital Voter List system developed and supported by KMD used to generate and check voter cards in the 2011 national elections The system will focus on data security and consistency Instead of reinventing the process we have examined the KMD system and used some of the concepts We are not building on top of the KMD system but rather investigating other ways to handle the same problems both regarding design and implementation A user of KMD s system should ideally be able to sit down and use the Aegis DVL system right away Chapter 2 Scope The system is responsible for the exchange of voter cards to ballots and not the actual votes There is only one entry point in the form of the import of voter data and one exit point when the data is exported again An election secretary is responsible for the election venue and election officials are responsible for handing out ballots to the eligible voters CPR register Assign eligible voters to election venues Voter Voter National tallying of results Election venue After election Election Election Official 14 Official Election secretary This paper covers the following topics e A discussion of the design of the Aegis DVL system e A discussion of what data is vulnerable and should be protected and how the security is obtained e A description of how synchronization and distribution of data is implemented in th
161. ute Q RequestBallotC Class r Properties CF Sender 2i Methods Execute amp RequestBallotC Aegis DVL Database PP DatabaseContrad 2 Interface Abstract Class Disposable El Properties g i SS C AllData CS AuData CST Parent iss RA i FF this 1 not sh E s iso ED El Methods i 7V Dispose Import Import n H EncryptedVoter Struct E Properties Z BallotStatus oF CPR FF VoterNumber El Methods EncryptedVoter Y Objectinvariant ToString SA 8 M E Properties FF Value El Methods 5 CPR implicit operat Y Objectinvariant 5Q ToString E Properties EF AllData Parent FF this 1 not sh El Methods Y SqLiteDatabase 5 Add 5 Dispose 1 ov Y GetVoter 5 Import 9 InitDb SqLiteDatabase E Properties oF value El Methods implicit operat 5 ToString VoterNumber Aegis DVL Logging Log Class gt EntityObjed E Properties oF d m LogEntry Ei Methods CreateLog 9 OnldChanged 8 OnldChanging Y OnLogEntryCha 9 OnLogEntryCha 62 Struct E Properties EF Level mm Message m Timestamp E Methods 7 LogEntry Y Objectinvariant 5 ToString Aegis DVL Crypto GeneratePassw GenerateSymm Hash Newlv Sy mmetricDecr Struct E Properties FF value El Methods 4 CipherText
162. ution Revision 171 Author Skovvart Date 2012 05 02 13 53 Message Moved UI interface to DVL solution updated placeholder ui method calls to the interface ones updated some commands to properly notify the UI Revision 170 Author Aaes Date 2012 05 02 Message Revision 169 Author Aaes Date 2012 05 02 Message added a Revision 168 Author Aaes Date 2012 05 02 Message Revision 167 Author Aaes 13 52 13 50 cancel button to the BallotCPRRequestwindow 13 47 Page 10 Revision History 21 05 2012 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 Date 2012 05 02 13 46 Message Revision 166 Author Aaes Date 2012 05 02 13 46 Message Now the assorted windows can react to a reply concerning whether or not to hand out a ballot Revision 165 Author skovvart Date 2012 05 02 13 27 Message Made it compilable again Revision 164 Author Skovvart Date 2012 05 02 13 10 Message Revision 163 Author Skovvart Date 2012 05 02 13 10 Message Updated UI Interface for Dvl purposes Revision 162 Author Skovvart Date 2012 05 02
163. volerConfimed tre equestBallot SL1 handOutBallotFromStation baliotsHandedOutfstatioriVoter e idle updateDB 0 update handoutBallot voters 1 stationVater true checkVoter voter voter 1 voter lt VOTERAMOUNT confimVoter voterConfirmed faise voterConfimed tue equestBallot 79 r 29 C Users Nikolaj Documents My Dropbox Bachelor Project Bachelor UPPALLxml UPPAAL lt za x n Fil Rediger Vis Funktioner Indstillinger Hj lp Banja 2 2 Na gt o a Editor simulator Verifikator Tr k ud Jj Navn Station Parametre bool amp voters VOTERAMOUNT int id La Projekt Erklzeringer sam E S Manager S StationListener Systemerkl ringer voter lt VOTERAMOUNT idle checkVoter confirmVoter voter voter 1 voterConfirmed true equestBallot voterConfirmed false requestUpdate managerVoter voter 1 sender id 80 r Y C Users Nikolaj Documents My Dropbox Bachelor Project Bachelor UPPALLxml UPPAAL Fil Rediger Vis Funktioner Indstillinger Hj lp Ba 8 amp a ae Simulator Verifikator J Navn Manager Parametre bool amp voters VOTERAMOUNT voters managerVoter sendTo STATIONAMOUNT f quest upda
164. w 4 OR 1 Access a database on a machine 0 1 low 4 AND 1 Gain access to the machine 0 1 low 4 OR 1 Physically force access 0 1 low 4 2 Digitally force access lt Digitally force access gt 2 lt Acquire private key used to decrypt the data gt 3 lt Acquire the database key gt 4 Decrypt and read the data 0 1 high 5 5 Gain access to the digital data after the election has ended 0 1 low 4 OR 1 At election venue 0 1 low 4 Same as gain access to the digital data during the election 2 Intercept the transportation of the exported data 0 1 low 4 OR 1 Access the USB device 0 1 low 4 AND 1 Physically acquire the device 0 1 low 4 OR 1 Steal without people transporting it noticing 0 1 low 1 2 Manipulate people transporting it lt Manipulate person s gt 2 lt Acquire private key used to decrypt the data gt 3 Decrypt and read data 0 1 high 5 3 At the tallying place 0 1 low 4 OR 1 Be responsible for tallying 0 1 low 1 2 Manipulate person s responsible for tallying to manipulate the data lt Manipulate person s gt 3 Manipulate the data without the person s responsible noticing 4 lt Digitally force access gt 5 Physically force entry and the attacker manipulating the data 0 1 low 4 17 6 Revision history 97 Revision History 21 05 2012 Q M O tu BU NH PRR ROGA d amp d RR UU LU UU UU UU UU UU UU UU UL NM NR NM M M NM NM NM M NM OD LB HB PR PR RPP PB N RoU M LB O Q X O a
165. y security Alternatively the keys could be generated beforehand imported along with the voter data and signed by an entity outside the system This would require that each election venue would have knowledge about how many machines they would need to create the correct number of keys One could also generate extra keys for each venue in case of system crashes Another idea could be to have people sign the keys manually If the election has a group of trusted people they could potentially visit all the election venues and sign the keys While both these ideas are viable they introduce extra costs and extra complexity into the system and we have chosen not to implement any of them One of the things we used from the PGP and GPG technology was the idea of hybrid ciphers This is an easy way to ensure data integrity and non repudiation A description of how we used hybrid ciphers to construct the commands in the system can be found in section 8 2 3 Cryptog raphy 26 Secure Sockets Layer SSL is a secure way to communicate over the TCP protocol and relies on digital certificates to authenticate machines The main idea is that if a certificate authority trusts a machine to have a certain identity you could trust that identity is their real identity This is done by asking the certificate authority for the encryption key to the machine in question and by using this you can establish a secure communication channel We encounter the same problem as with
166. ySQL 13 MySQL Yes Yes Yes Yes PostgreSQL 15 PostgreSQL Yes Yes Yes Yes SQLite 16 SQLite Yes Yes Yes Yes DBMS crypto 10 Oracle No Yes Yes Yes MSSQL 1 Microsoft No Yes Yes Yes Sybase ASE 19 Sybase No Yes Yes Yes DB2 20 IBM No Yes Yes Yes Firebird 18 Firebird Yes No Yes Yes Microsoft Access 14 Microsoft No Yes No Yes We have decided to implement the database using SQLite 17 SQLite is a software library that implements a self contained serverless zero configuration transactional SQL database en gine 17 We decided to use this DBMS as it fulfills all the desired properties it was fast to install and implement and it did not require the use of external systems To interact with the database we use the ADO NET Entity Framework 47 20 Chapter 8 Security Security is an essential part of every system in the domain of elections Making sure that the election can not be tampered with is of the highest priority because the information could potentially have consequences for a lot of people We approached this using the twelve principles presented in Applied information security A hands on approach 1 1 Simplicity simpler security mechanisms are easier to understand and maintain 4 We designed a system that introduces as few new concepts as possible so users of the current paper based solution should find the application easy to use Open design a system should not depend on the secrecy of its protecti
167. ystem accepts is e Voter numbers and CPR numbers e Passwords strings the master password and deobfuscation passwords used when exchang ing public keys e Voter data to be imported during system initialization and the key used to encrypt the data e Commands transmitted over the local network The voter numbers and CPR numbers are relevant as they are used in conjunction with the database though they are not stored as numbers in the database The fact that they are numeric makes it fairly simple to filter out bad input and it can be handled by the user interface 25 We also used the ADO NET Entity Framework 47 an Object Relational Mapping framework 48 A framework such as this enabled us to work with type safety and reduces the risk of hu man error since it abstracts away from writing raw SQL commands in strings The passwords are not used in any queries and should not introduce any SQL injection pos sibilities The voter data to be imported is serialized system structs so when de serializing them they should fail before ever reaching the system if they are not in the correct format Currently we have no way to ensure that the intended data set is the one reaching the election venue This could potentially be solved by having the data obfuscated or signed and the deobfuscation pass word only being exchanged securely when the data is at the election venue Commands are validated by the fact that almost all commands
Download Pdf Manuals
Related Search