Religion & Spirituality

A Trustable Electronic Government Voting Management Framework Using TPM

Description
A Trustable Electronic Government Voting Management Framework Using TPM
Published
of 7
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  A Trustable Electronic Government Voting Management Framework Using TPM Mervat Adib BamiahStaffordshire University, UCTITechnology Park MalaysiaKuala Lumpur, Malaysiamervatbamiah@yahoo.com Ali DehghantanhaAsia Pacific University College of Technology and InnovationTechnology Park MalaysiaKuala Lumpur, Malaysiaali_dehqan@ucti.edu.my Bridget ArchibaldAsia Pacific University College of Technology and InnovationTechnology Park MalaysiaKuala Lumpur, Malaysiabridget@apiit.edu.my   Abstract  —  one of the critical systems is Electronic voting (E-Voting) system, in sense of security-critical computingaccording to its voting process, that is responsible for storingthe preference of the voters accurately and securely. Theintegrity of the election process is fundamental to the integrityof democracy itself. That requires good secure voting system,whether electronic or traditional paper ballots, to guarantee the voter’s and candidate trust of the system and the results. This paper presents the issues in E-Voting system, ProposedFramework based on the literature review and Quantitativestudy, and a brief discussion on implementation of TrustedPlatform Technology (TPM) as a part of the proposedframework.  Keywords- Electronic Voting Systems, Trusted Platform Module (TPM), Security I.   I NTRODUCTION Critical systems that have a vital impact on nation‟s  destiny and future have to be secured to the highest level,and given the most priority; governmental voting is one of  these vital systems as it decides the nation‟s leader. Many countries have adopted Electronic Voting (E-Voting) tofacilitate the elections process, and to overcome thetraditional voting problems especially in counting the votes,and for including citizens overboard, not available anddisabled people, in addition to increasing the voting turnoutand much more. E-voting “Is the use of computerized voting equipment to cast ballots in an election securely byimplementing the cryptographic voting protocols to make electronic voting secure and applicable”   [1].E-voting applications are growing in relevance as thepopulation of the world becomes more reliant on differentE-Voting technologies such as touch screens, kiosks,internet voting (I-Voting), Interactive voice response (IVR)landline telephone voting and Mobile voting (SMS) textmessage voting, and Digital television voting (IDTV) [2].These channels have to be highly secured to gain voters andusers confidentiality of the E-Voting system to increase the voter‟s turnout and peoples trust of the election results.The major issues faced the adoption of E-Votingsystems were on security as mentioned in part II, whichprevented voters from trusting the e-Voting systems.Solutions were provided to increase the security in electionprocess will be discussed in the related work next section.The suggested artifact framework is developed throughimplementing Trusted Platform Module (TPM) as TrustedComputing Standard (TC) attractive security solution foruse in voting machines because of its unique identity, widerange of security functions, hardware protection of cryptographic keys and software attestation. Voters aremore likely to trust a voting system that is more transparentand allows source code inspection to gain election integrityand voters trust. [3]This paper is organized as follows. Section II willpresent understanding of E-Voting context and issues, relatedwork of E-Voting system. Section III will discuss TPMfollowed by the propose solution framework addressing forthe identified problems in E-Voting system, finallyconclusion and references.II.   E-V OTING ISSUES  There are several weaknesses in the current E-Votingsystems, such as they are vulnerable to e.g. Sabotage the e-voting devices to stop them from running (Denial of service)or changing the election results by changing votes in somekey precincts. [4]  A.   Chain of custody An attacker who breaks chain of custody by insertingmalicious code or altering paper ballots could stuff the ballotbox, delete or switch votes, or add votes to contests that thevoter left empty[5].  B.   Vulnerability to Hacking Intruder threats can be like invading the secrecy of the vote, data theft and unauthorized access to the platform,Selling or buying the votes, Confusing or Forcing voters tovote in a particular way, Computing or changing theelection results. The intruder can be internal (who is a partof the E-Voting process and who can access the system inoff and on mode), or external (who can access publicinformation and is not part of the E-Voting system), anotherintruder type is malicious voter (who tries to cast more thanone vote or sell his / her vote) [6]  C.   Fraud 1)   Fraud by Election authorities: they may cheat byallowing ineligible voters to register, or allowing registeredvoters to cast more than one vote, or systematicallymiscounting or destroying ballots. 2)   Fraud by Ineligible voter: they may register (oftenunder the name of someone who is deceased) or eligiblevoters may register under multiple names.  3)   Fraud by Registered voters: eligible and non eligiblevoters may be impersonated at the polls, and ballot boxes,ballots, and vote counting machines may be compromised. 4)    Internet Security Issues: Internet voting is subject topotential risks due to the inherent insecurity of both theuser's machine and the network connection, either connectedto the central server or tabulator, some of the internet votingseurity issues are as follows: 4.1   The users‟ machines may have many different forms of computer viruses, "worms", "spyware",or "Trojan horse" applications [7].  4.2   Man in the middle attack (a network transmission is hijacked by an attacker who hasmanaged to control the channel through   two end-points of the transaction that communicated withone another) [7].  4.3   Denial of service attack : happens when theattacker, is able to prevent the communicationfrom taking place, by overloading one or theother endpoint of the communication.  4.4   A spoofing attack: happens when one of thecommunicating parties are tricked into opening asecure connection to a site controlled by anattacker.4.5   A "phishing" spoofing attack involves an emailcontaining an obfuscated link to a site, which hasbeen created to perfectly mimic the targetedwebsite along with an urgent request to "re-enter" sensitive personal information (credit cardnumbers, passwords, etc.).III.   R ELATED W ORKS E-Voting systems was introduced by Chaum in 1981as a simple flexible; protocol that enables voters to create areceipt for their preference . In 1988 Colin Boyd introducedanother scheme which was designed for ”Yes/No” voting,quantity of options can be increased by adding newencryption keys, voters verified by authorities. He tried toimprove his system in 1989 by adding voter‟s second private key to assure full privacy. [8]Up to 1992 A. Fujioka et al. Invented protocol thatcombines the techniques of blind signatures and anonymouschannels. However, serious issues that involve accuracy;which let the authorities vote for the voters that have notparticipated in the election, and voters must return whencommitments on all ballots are open, which decreasesquantity of votes and facilitate coercion. [8]While in 1997 Okamoto   introduced a schema based onUnstoppable channels that made it possible to design areceipt-free schema. It has a weakness of lost property, if the coercer provides the voter with information for the trap-door bit commitment scheme which made his schema hardto implement [8]In 2002 and 2004, D. Chaum proposed a method toprovide voters with a coded receipt that reflects their votebut does not reveal it to anyone else. The cost to implementD. Chaum's scheme was high because of its requirement thatall voting machines be equipped with special printers.[8]In 2005 SEAS was introduced that was described as asecure system for polling over computer networks. It wasbased on Sensus protocol ( Sensus vulnerability is that allowsone voter to cast vote in place of those that abstain from thevote) but SEAS avoids Sensus vulnerability. SEAS requireda list of eligible and registered voters to be available beforethe election takes place. But it   does not assure that no onecan view votes before the end of the election. And does notassure uncoercibility and it enables only universalverifiability; fraud can be detected after the voting ends.[8]By 2007 Cetinkaya and Odanaskoy introducedDynaVote   protocol, that secures all of requirements listed inthe general overview section as follows; The dynamic ballot   ensures diversity of votes which prevent coercibility. The PVID scheme   that solves the anonymity problem uses blindsignatures and has two main security flaws: The coercermay    buy voter‟s signed identity or just make voters give it directly to the coercer to send a vote in place of the voter.The Authorities may replace votes in place of voters thathave not taken part in the election because only theau thorities‟ signature is verified [8].Yee Designed a Direct Recording Electronic (DRE)voting machine with a greatly reduced trusted code base tosimplify software inspections, but the Inspections cannotprevent malicious tampering of the DRE immediately priorto operations. Jorba, et al Scytl architecture using ahardware security module to protect chained digitalsignatures. The issue was they were Vulnerable tocompromise through theft and replacement of the media   [9]   Still researchers are trying to improve E-Votingsystems, Chaum, and other researchers introduced   End-to-End (E2E)   systems such as Punchscan, Pr^et-_a-voter and  Three Ballot, in these systems Voters can check that theirvotes are recorded accurately using a receipt, and observerscan verify that the tally is correctly constructed, withoutcompromising ballot secrecy. The weakness is that theyrequire special kind of paper ballots format. Punchscanballots4 require two sheets of paper, and Prêt à Voter ballotsrandomize candidate name order [8] . IV.   TPM   AS   A   PROPOSED   SOLUTIONTPM was introduced as a trusted solution to overcomeprevious E-Voting systems issues, and was first used byArbaugh for voting in on-line protocol to attest systemsthrough a central server. The weakness was that he Omittedkey design details. Followed by Rössler, et al that usedTPM in postal-voting where each voter submits a ballotencrypted with a public key to the tallying server, alsoOmitted key design details.[9]As for Paul and Tanenbaum proposed E-Voting systemarchitecture incorporating TPMs, but the issue is that TPMs‟  role assures only presence of correct software the platformstate, and it is not bound to the casted ballot [9]. Feldman, et al using technology from the TCG, but could not preventmalicious code from changing future votes by altering databefore it was sent to the storage device [9]. As for Pearson et al gave comprehensive overview of TPMs, and Challenerprovided an excellent practical guide to the TPM forsoftware developers [9]. Although TrouSerS introduced anopen source implementation of the TSS, Strasser providedan open source TPM emulator to aid development [9].While Sevinc Described key distribution protocol that sendssecrets from a server to a TPM-enabled client, but theweakness is that server has no way to attest the softwarestate of the client.[9]For overcoming all those past TPM issues Fink, R., andSherman, A.,   Combined End-To-End Voting withTrustworthy Computing for Greater Privacy, Trust,Accessibility, and Usability, E2E features achieve many E-Voting system goals, but several gaps remain because of E2E untrustworthy software and poor usability. [9]V.   TPM   PROPOSED   SOLUTION   The main propose of developing the proposedframework is to manage a secure trustworthy E-Votingsystem, by securing each and every perspective of thesystem from its initial stage till the documentation stage, Inaddition to gathering feedbacks from the involved people tobe analyzed for the next election preparation andimprovement. This will include securing; data, network,servers, communication channels, storage devices and userdevices. All of this securing will be achieved; byimplementing TPM as chain of trust that combines hardwareand software security to provide trusted client device. ThisTPM chip provides Protected Capabilities, IntegrityMeasurement and Storage as Roots of Trust, IntegrityReporting and Attestation [10]. According to TCG thatTPM specification has been ISO   standard accepted whichreveals that deployment applications based on trustedcomputing infrastructure exhibit superior capabilities insecurity governance, risk management and compliancecompared to other respondents. [10] TPM Software Stack enables trust in network endpoints and secure network activities as shown in figure (1) below [11]:Figure.1   Trusted Platform Module   Software Stack (TSS)TPM can use cryptographic means to accurately report itsstate anytime, which can be verified to determine theplatform's integrity. By running on a TPM, each device inan E-Voting system operates in a verified environment,every device can attest to its state as for communicatingdevices can perform mutual attestation, to verify to eachother that both devices are in a valid state beforecommunicating. Using TPM approach, a trusted E-Votingsystem can accurately capture, count, and report the votessecurely [11].As for TPM features and functions enables more securestorage of data by doing its asymmetric key operations on-chip and provides hardware-based protection of databecause the private key used to protect the data is neverexposed in the clear outside of the TPM's own internalmemory area. the key is only valid on the TPM on which itwas created unless migrated by the user to a new TPM.Every TPM has different root of trust of storage, the datacan only be decrypted by the TPM that srcinally encryptedthe data. [12] As shown in Figure (2) below:Figure   (2) TPM Features  Another feature also is data sealing, which is bound datathat additionally records the values of selected PCRs at thetime the data is encrypted. The only restriction that isassociated with bound data, sealed data that they can only bedecrypted when the selected PCRs have the same valuesthey had at the time of encryption [12].Trusted Computing with the usage of TPM increasesprivacy by ensuring the correct software is running and bybuilding trustworthy electronic interfaces [9] . TrustedComputing TPM can benefit three critical areas:1). Privacy is platform attestation used to control signaturekeys only allows voting when the system has booted thecorrect software, mitigating the risks of unauthorizedsoftware disclosing private information, such as ScantegrityII ballot codes [9].2). TPM controls can reduce reliance on trusted chains of custody by ensuring that only the correct platform canaccess valid data. Finally verifying correct softwareoperation is crucial to detecting problems early and for moreusability [9].3). In addition to catching under votes and over votes priorto casting, managing the device signature key in hardwareand sealing it to the correct platform state would allow theballot to be signed only when the correct software wasrunning, further more sealing to the TPM prevents theft of the signature key. In this research framework will bedeveloped based on the TPM module, and will be providedfrom the initial stage of E-Voting securing the informationstorage devices, network , communication and channelspreferred for casting votes, such as mobiles and  pc‟s .VI.   P ROPOSED F RAMEWORK  The main propose of developing this framework is tomanage a secure trustworthy E-Voting system byimplementing TPM as chain of trust that combines hardwareand software security to provide trusted client device. ThisTPM chip provides Protected Capabilities, IntegrityMeasurement and Storage as Roots of Trust, IntegrityReporting and Attestation. For securing; data, network,servers, communication channels, storage devices and userdevices. The proposed framework consist of two parts, thefirst part concerns the E-Voting processes. The second partconsists of TPM implementation in the whole operation of E-Voting processes. These two parts will be explained asfollows:-   Part One - E-Voting Management Process Preparation for the election considers: Human factors suchas voters, candidates, employees, Technology Factors suchas the devices, operating systems, application and networks. Pre  –  voting At the beginning of the election the organizers of theelection campaign; will announce the information and theduration time of the E-Government Voting process, thenthey determine who is eligible to vote at the permitted time,after that ballot preparation and distribution this phaseincludes election information , candidates and votersidentification.   In addition to the awareness campaign ,   there should be training for the employees on the electionprocess including the use of the E-Voting system. Theadministrative and technical personnel should be trained onthe ethical, business and technical issues before theelections. As for managing the election process there shouldbe three teams that are supervised by technical team asfollows:   First  ; the Electorate Registration System: forbuilding the official database of voters.   Second  ; The Candidates Registration System: formanaging and updating Candidate„s information andverifying their eligibility to run in the election.   Third; the Voter’s Identity Verification System: for ensuring the authentication of voters‟ identities using an ID card or apassport. The Voter identification and registration is used toidentify the person either male or female, for the purpose of registering has a right to vote, thus identifying legitimatevoters.This will be done through authenticating the identity of thelegal person allowed to vote in a contest, and to authenticateea ch person‟s voting rights. Voter identification andregistration ensures that only legitimate voters are allowedto register for voting. Successful voter registration willensure the authenticity and anonymity of the voter, and willresult in legitimate voters being given a means of provingtheir right to vote to the voting system in a contest.Depending on national requirements or specific votingValidation of E-Voting channels, as for the internet votingmethod validation . There must be some consideration takenwhen voting by internet, that voters are voting on differentoperating systems, and on different devices which providethe necessity for the websites to be usable, user friendly andsecured. E-Voting system must be adapted to the differentsystems used by users, such as, for example, internetnavigators. The other thing E-Voting system must check upon the voters if they voted online they will not vote againphysically at the polling place, to avoid over voting not tomention checking the identity of the voter who is votingonline to avoid dead people vote or redundancy of voting. Other channels such as mobiles, DRE‟s …etc also must be validated for the accuracy of votes results. After validatingthe channels also maintenance and validation of the systemdevices as they should be ready for the voting operationnext step.    “Fig. 3” E -Voting Management Framework  Voting This process includes the e-voting channels and devices,such as touch screens, kiosks, voting websites, the votingdatabase, the encryption system, the vote counting systemand results presentation system. The primary function of E-Voting system is to capture voter preferences reliably, andreport them accurately. The critical process is betweencapturing the voter vote and voting on an e-voting system(machine), as the system should be able to prove that a voter‟s choice is captured correctly and anonymously from his/her selected voting method, and that the vote is notsubject to tampering. Voters can choose between castingtheir votes physically at the election place (poll site),remotely by internet voting (online / email) or by MobileSMS according to the different channel voters preference,after authenticating and authorizing themselves byproviding identification to a trusted official workers, forpreventing over or under votes administrators validates thecredentials of those attempting to vote when the electionprocess begins. Post  –  voting After voters have casted their votes, the administratorscollect the votes, then votes are processed and an electionresult is audited calculated and presented. Audit is theprocess by which the election authority representatives canexamine the process used by which the vote is collected andcounted to prove the authenticity of the result. Thenpublishing the final results and documenting the e-votingprocess. The system provides a facility to perform recount if there is any complaint about the results.-   Part Two - Implementing TPM on E-Voting System This technical part should be done according to the securityrequirements such as privacy, eligibility, uniqueness,fairness, receipt-freeness, accuracy, verifiability, andelaborate checklists presentation [1].Then applying TPMmodule through all the E-voting phases as follows; Phase 1: System initialization to check the integrity of theelectoral roll before the poll opens, and to make sure that thevirtual urn is empty and that the vote counters are set tozero, also securing the devices with TPM by sealing thestorage, and the electronic devices. Phase 2: Registering all the legible voters and storing theirinformation in a secured database (secured by TPM),Verifying   and authenticating the voters and the candidates.The voter must prove his/her identity to the manager of theelectoral roll. The procedure used may range from the useof an identifier combined with a PIN code to use of asmartcard, in this proposed framework usage of TPM keygeneration for better security. Phase 3: Securing E-Voting channels and devices by TPM,for an example as voting by the internet (I-Voting)protecting the voters passwords with a TPM, so that theservers on the other end can be assured who the user reallyis as the password is backed with the guaranteed identityfrom the TPM, and the user can be assured that access to theservices can only be made from the computer with the TPMinstalled.  Phase 4: If the voter is authenticated, he/she is credited witha random number, giving him/her the right to vote. Thevoter then   makes, from his/her virtual polling station, theselection, or selections, appertaining to the poll. Next isvalidation of the vote (check to ensure the voter has notalready voted). Phase 5: After casting the votes, and when the poll closes,the managers analyze the vote‟s then audit and count them,finally publishing the results and the documentation, if needed recount. Wednesday, June 23, 2010 A Trustable Electronic E-Voting Management Framework Using TPM VotingPre-voting Registration CandidatesVoters Authentications and ValidationManaging and storing voters and nominated candidates data DevicesVoters ServersData Bases Mobiles Storage DevicesClient Terminals Selecting E-Voting Channel DRE KiosksTouch Screens IVRiDTVInterntNetwork Casting Votes Post- Voting Counting and Auditing the votesPublishing the ResultsDocumentation     Secure Communication Network TPM Module Secured with TPM E-VotingChannels Certificate ServerCentral DB ServerWeb ServerAuditing and Counting Server Voting Through preferred channel   V o t e r  R e g i s t r a t i o n     C a s t i n g  V o t e s   Authentication   Res   ponse  Integrity Confidentiality  Authentication  Non-repudiation
Search
Similar documents
View more...
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks