Many of us have dealt with electronic commercialism minutess. This is already a portion of mundane life. However. e-voting is non yet an obvious method for voting. The building of electronic vote system is one of the most ambitious security-critical undertakings. because of the demand for happening a tradeoff between many apparently contradictory security demands like privateness vs. auditability. Thereby it is hard to follow ordinary mechanisms of e-commerce. For illustration. in e-commerce there is ever a possibility to challenge about the content of minutess. Buyers get grosss to turn out their engagement in minutess. E-voters. in bend. must non acquire any grosss. because this would enable electors to sell their ballots.
In 2003. Estonia initiated the undertaking of e-voting. The purpose was to implement e-voting in the elections of the local authorities councils in 2005. In January 2004. a group of American security experts revealed the security study of Secure Electronic Registration and Voting Experiment ( SERVE ) [ 1 ] . The SERVE system was planned for deployment in the 2004 primary and general elections and allows eligible electors to vote electronically via Internet. After analyzing the security of SERVE. the group of security experts recommended that SERVE should be shut down. They besides declared that they do non believe that otherwise constituted undertakings could be more secure than SERVE. Their decision was that the existent barriers to success in e-voting are non accomplishments. resources. etc ; it is the fact that given the current Internet and PC security engineering. e-voting is an basically impossible undertaking.
The SERVE undertaking was terminated so in January 2004. At the same clip. Estonia continued to develop an e-voting system and implemented it harmonizing to the programs. The Estonian security experts published their security analysis [ 2 ] at the terminal of 2003. They declared that in practical sense the Estonian e-voting system is unafraid plenty for execution.
This beliing state of affairs was the chief instigator of this work. By closer position. both security studies are consistent and contain truthful and
converting statements. One of the chief grounds for two wholly different consequences was the deficiency of incorporate rational security analysis in both studies. Some of the statements were rather emotional. being based on experts’ subjective sentiments and “common wisdom” .
The purpose of the work is to accommodate rational security analysis methods for analyzing the two evoting systems. It gives us the possibility to compare the practical security of these systems. In perfectly unafraid systems unexpected events are non possible. We may woolgather about such systems. but they can ne’er be achieved in pattern. This applies peculiarly to evoting systems. Sing the security degree of personal computing machines. it is impossible to plan e-voting systems. which are perfectly unafraid for every user. The most of import security end of vote is non to impact the concluding consequences and non to mistreat the rules of10 democracy. The individual incidents with users are still of import but they do non hold influence to the concluding consequence. Furthermore. even in traditional vote systems small-scale incidents are acceptable. Therefore. in practical security analysis of e-voting we should concentrate on large-scale menaces.
One of the rational attacks of security is known from theoretical cryptanalysis: security decreases. which are cogent evidences that security conditions held under certain combinative premises. such as hardness of factoring or Diffie-Hellman job. For turn outing practical security. we besides need empirical premises about the existent universe. Furthermore. in theoretical cryptanalysis the antagonists are considered to be Turing machines. which are chiseled and comparatively easy to analyze. The existent universe antagonists are human existences with unpredictable behaviour and different motivations. Hence. for analysing practical security. we need existent universe antagonist theoretical accounts. There are plants. which effort to pattern existent universe antagonists.
In 2006 Buldas et al [ 3 ] presented a hazard analysis method against rational onslaughts. which used premises about existent universe antagonists. In this work. we are traveling to accommodate their method for analysing the security of e-voting systems. in peculiar. for comparing the two systems. In Chapters 1 and 2. we give the general background of e-voting. In Chapter 3. we describe the Estonian and the SERVE e-voting systems and stress the differences of the two systems by paying attending to the points. which could impact the systems’ security. However. merely indicating out the differences is clearly non plenty to claim that one of the systems is unafraid and the other one non.
In Chapter 4. we give the practical security analysis for the two systems. First. we describe the security analysis method. In Section 4. 2. we create the e-voting procedure theoretical accounts for SERVE and for the Estonian e-voting system. Adversaries are portion of the environment and their actions are unsought events. For mensurating the security we create an adversarial theoretical account in Section 4. 3. In our analysis antagonists are rationally intelligent individuals who attack merely. if this is profitable for them. Hence. antagonists estimate the additions and the costs of onslaughts. In Section 4. 4 we define the security premises and give their justifications. Security premises are certain widely believed conditions. which give the footing of demonstrable security. Section 4. 5 gives the security analysis of SERVE and of the Estonian e-voting system based on the security premises by utilizing the demonstrable security attack. In this work. we do non wholly formalise the security statements. but in rule they can be formalized. We justify non widely believed premises in Subsection 4. 6. 3. In this justification we besides study the influence of society to e-voting security.
In Section 4. 6 we justify less obvious premises by utilizing onslaught trees risk analysis. In Subsections 4. 6. 1 and 4. 6. 2. we create a conjectural environment theoretical account. First we present the demand of environment parametric quantities for analysing the practical security of evoting systems. Following. we define the society features. which can impact to success onslaughts against e-voting systems. For illustration. we assume that some users notice. if their computing machines are infected and inform Electoral Committee about that. On the other manus. all electors are non honest ; some of them are agree to sell their ballots to involvement groups who11 have purpose to impact the consequence of vote. Additionally. we consider that some members of the development squad of e-voting system can be corrupted. Obviously. it is a serious menace in e-voting systems. Large-scale onslaughts involve many people and hence there is ever possibility that person leaks the information. which could do the aggressors to be caught. We present all these conjectural features in Subsection
4. 6. 2. This environment theoretical account is non perfect. but can be considered as the first measure to officially analyse the influence of society to the security of e-voting systems. In Subsection 4. 6. 3. . we analyze adversaries’ activities in defined environment theoretical account for mistreating e-voting systems. This empirical analysis uses multi-parameter onslaught trees [ 3 ] . For illustration. the cost and the success chance are considered as parametric quantities of onslaught. We justify some of the security premises. which were used in old subdivisions. We show that the Estonian e-voting system is practically unafraid in the defined environment theoretical account. The SERVE undertaking has exposures in the system design. which makes it possible to execute voting-specific onslaughts. Additionally. we show that sensible alterations in our environment theoretical account will non alter the consequences of this analysis. This means that if the defined environment theoretical account so reflects the world. so the Estonian e-voting system is more unafraid than SERVE and the security experts’ sentiments were sensible.
It turns out that the chief proficient disadvantages of SERVE. which make it less secure than the Estonian system. are:
· non-encrypted ballots in an e-voting waiter ;
· no independent log file system to look into the rightness of procedures of e-voting waiters ;
· ballots numbering waiter is on-line and contains. besides ballots. besides the names of electors ;
· ballots are non signed by electors.
For specifying the environment theoretical account. we have tried to gauge the features of environment every bit near as possible to existent society. We have used information from Internet. from research documents. interviews with public prosecuting officers and studied well-known assaultive scenarios. This environment theoretical account is non perfect ; the appraisal of environment features is subjective. However. it defines the demand of environment features for analysing a practical security in e-voting systems. Future works towards polish of the environment model’s features decidedly would better this security analysis. Equally far as we know. there are no correspondent security analyses published for e-voting systems. Therefore. this work can be considered as one of the first stairss in this country.
2. State of the art
In this chapter. we give a brief overview of different sorts of electronic vote systems. This list is non perfect ; nevertheless it gives us a glimpse of how electronic vote is implemented in Europe and in the United States.
The chief grounds for a authorities to utilize electronic elections are:
· to increase elections’ activity by easing the casting of ballots by electors ; · to cut down elections’ and referendums’ disbursals ;
· to speed up ballot numeration and the bringing of voting consequences ; · to enable electors to project their ballots from different topographic points. non from merely a peculiar polling station.
The Internet vote system [ 22 ] was used in the national referendum in Geneva Guangzhou of Switzerland in 2004. In Switzerland. elections or referendums are held four or five times a twelvemonth. There are 580. 000 Swiss citizens populating abroad. to compare with 7 million dwellers in the state. It is of import to supply them with an efficient and simple vote system. Approximately 52 % of the Swiss population has Internet entree. both at place and at the workplace. For all these grounds. the authoritiess. both in Geneva and at the Federal degree have decided to develop Internet-voting solutions.
3. Description of e-voting systems
This chapter presents the elaborate descriptions of an e-voting system. In the beginning. we describe how e-voting systems work. Following. we give the descriptions of the Estonian evoting system and the Internet vote undertaking Secure Electronic Registration and Voting Experiment ( SERVE ) in the United States of America. Finally. we point out the chief differences between the two e-voting systems.
3. 1. General description of e-voting systems
By and large. e-voting systems consist of six chief stages:
· voters’ enrollment ;
· hallmark ;
· vote and votes’ economy ;
· votes’ managing ;
· votes’ numeration ;
The voters’ enrollment is a stage to specify electors for the e-voting system and give them hallmark informations to log into the e-voting system. The hallmark is a stage to verify that the electors have entree rights and franchise. The vote and vote’s economy is a stage where eligible electors cast ballots and e-voting system saves the standard ballots from electors. The votes’ managing is a stage in which ballots are managed. sorted and prepared for numbering. The votes’ numeration is the stage to decode and number the ballots and to end product the concluding run. The auditing is a stage to look into that eligible electors were capable to vote and their ballots participate in the calculation of concluding run. Additionally there are some other e-voting specific regulations verified in this stage. Figure 1. Phases of e-voting.
The proposal could keep the major rule of e-voting ; which is of being similar to regular vote system.
The system was compliant with the election statute law and rules and was at least every bit secure as regular vote.
Therefore e-voting must be unvarying and confidential. so the national commission could successfully do the system indistinguishable and besides maintain the highest degree of security.
The national commission ensured individual ballot for a individual individual by revoting and sing the last given ballot on their web site. They will once more set up traditional system of voting if any individual wants to alter his sentiment and this ballot will acquire higher penchant than evote. The procedure of roll uping ballots was secure. dependable and accountable.
The national commission didn’t wholly acquire out of the traditional vote system. Hence the system couldn’t cut down the cost instead there was an rush in the cost as they are carry oning both the evoting session and the traditional vote system. The procedure is clip devouring as the national commission allows the electors to vote on their web page from 6th twenty-four hours to 4th twenty-four hours before the traditional canvass. As a consequence the procedure takes at least 7 to 8 yearss to print the consequence.