Archive for January, 2008

Jan 27

E-voting benefits and challenges

in Analysis and production, Cryptography and Security. Comments Printable version Printable version

If there is one domain, where people are not ready to let computers supercede the old way, it is definitely voting. I am not saying that it is not possible, I am arguing that people don’t trust machine to handle their democracy.

E-vote will be sooner or later still adopted by every country but it is not a bad thing because when properly done it has very nice advantages.

Key advantages

The most obvious are:

  1. It is ecological: every time you vote, millions of bulletins are printed. That is an ecological waste of material and energy. So e-voting is good for environment.

    images

  2. You don’t have to count. In 2002, I accepted to count votes, because I felt that I had to do it at least one time in my life. Well that was a long night. Reading the same name again and again is so boring. It is definitely something, that I will be glad to delegate to computer.

    images (3)

  3. It is easier. Using e-voting will allow to vote from everywhere that is very handy for people that are away from their home. But it is mostly a must have for people that can’t, or have serious difficulty, to go to the voting office such as old people and sick people. It a sense e-voting will help to involve democracy, the weakest one which is something very important. Of course the system should have been easy enough

Of course theses advantages won’t bloom if the system is not secure. If you have any doubt, that the election is legit then the rest is nothing but air.

There is not yet a standard for e-voting, as AES for symmetric cryptography. However, there is many work done on the subject. One of the most important is to define what we want to achieve with an e-voting system. We call it security properties.

So even if a standard e-vote system is not yet ready, understanding the properties beyond it let you know what you can expect from it. It is like having computer spec before having the computer itself. You already know if it will be good or not.

Believe me, the properties associated with eat-voting are good, really good. I truly believe that it will help us to make a better world because it will help to protect our freedom and our opinion.

The following list of properties have been compiled, as part as survey, by Pascal Lafourcade a very good friend of mine and two master science students : Mathilde Duclos and Laure Fouard . They all work for the Verimag lab based at Grenoble (France). He gives us an impressive talk about eat-voting last week. Thanks to him for the talk and the copy of the slides.

Let’s review each property in none technical terms so you can understand what eat-voting will brings to you.

Privacy

No one except the voter should be able to determine the value of the vote cast by the voter.

images (4)

This is the base of the current democracy system. You can vote what you want and nobody could ever find out.

Receipt-Freeness

To me this is one of the most desirable property we can have.

Voter must neither be able to obtain, nor construct a receipt which can prove the content of their vote.

This property will improve the system because it prevents to things:

  1. Coercicion
  2. Vote buying

It prevents coercicion because the coercer have no way to figure out what you have voted because you can’t prove him what you have voted. Even under torture you have no possibility to prove that you say the truth making pressure useless.

lobbying2

 

Same for buying, You can’t buy vote for sure because the voter can’t prove you that he actually voted has ordered.

With the current paper based system, it is possible to coerce people. You give them two bulletins and you ask them for the remaining one after he have voted. An other technique reported by a friend is that, in some country (no name), the current leader name is on a red bulletin and the enveloppe are very thin. Therefore you actually know if the red bulletin is inside the envelope or not. That is clearly coercicion.

Having a coercicion free vote system could let us hope to deploy it where elections are doubtful to help people to express their real desires.

n-Robustness

Faulty behavior of a n-coalition of authorities can be tolerated. No coalition of voters can disrupt the election and any cheating voter will be detected.

That is a long one :)

It means that:

  1. even if one of the computer used to count vote is corrupted, it should not be able to tamper the election. I imagine here a scenario where bulletins are counted by the official government but also external observer (say the UN for instance). With this property, if the government is tampered by any means then it will be detected. This is a very good thing to have the ability to have external observers especially if you don’t trust your authority
  2. No coalition of voters can prevent the election results to be accurate. Means that the vote system is lobbying resistant
  3. If there is a cheat, it will be detected. You want to know if someone has tried to tamper the election or not and ideally who.

Verifiability

Verifiability aims at ensuring that the vote is verifiable to prevent incorrect voting results. It means that the entire voting process can be submitted to an external observer and that observer will be able to say if the vote is legit or not. A very important property in case of contestation.

loupe cv

Actually there is two kind of verifiability

Universal Verifiability

Any participant or passive observer can convince himself of the validity of individual votes and of the final tally of the election.

300px-ElectoralCollege2000-Large

If you remember how things went wrong in Florida in 2000 for US president election, then you know that is something we definitely need it.

Individual Verifiability

Every eligible voter can verify that his vote was counted.

I found out that this is an assumed property for current paper system. People believe that their vote are counted because they can follow the entire process from putting the envelop to the opening and counting vote. However, box can be switched, envelop can be switched and so on. As a magician I can tell you that there is plenty of options to do so. Thinks of using a mirror that split the box.

eticket

But what is important here is that people trust paper technique not computer. So they want to be able to check out that their e-vote was received. It is somehow similar with the plane e-ticket syndrome. People who use e-ticketing tend to verify twice because it appears more reliable than having a paper saying that you will have a seat. Which is of course not true but it is a well established believe.

Democracy

Theses properties ensure that democracy requirements are satisfied.

Eligibility

Only authorized voters are allowed to vote

If the goal is obvious the mean is not. Currently we use ID card. Well if I make a fake ID ? Who never saw a fake driver license to get beer while been in college ? E-vote means digital verification and there we have very nice option to verify more strongly who you are that a guy looking at thousand of card ID to see if one of them is fake. Verifying people ID by hand is also a great burden, so if the computer can do it for you, that can only be better because, machine dont get tiered or distracted.

whorl www.reachoutmichigan

Using biometric means seems the right things to do. For instance fingerprint can be easy to use: you just rub your finger before voting.

 

Preventing Multiple Voting

All eligible voters are allowed to cast the scheduled vote’s number (function of the election system and its part in it) and not more, such that voter has his intended power in deciding the outcome of the voting.

For instance your voting power can be based on the number of company shares you hold. Hence you want the system to enforce company share split for the vote. You also want to be sure that no one have more power than it should.

Fairness

This a very important property also:

No participant can gain any knowledge, except his vote, about the (partial) tally before the counting stage.

This will enforce privacy of course but it is also a guaranty that you can’t influence the intention of people that have not yet voted by unleashing rumors or using social dynamic. It will cut election gossip, because it will ensure that no one can have a hint before the result. Making us all equal, which is the goal of voting after all.

Problems and Future

Currently no e-voting protocol satisfies all the security properties presented above. It even appears that some properties might be incompatible. In a given formalism, which means that it might not apply in all case, privacy and receipt freeness have been proved incompatible

From a more practical point of view, it appears that some techniques proposed in theoritical papers do not scale well. The most famous example, I am aware of, is the use of mixnet to count vote results. If in theory using multiples mixnet ensure n-robustness, in practice with 3 mixnet counting 400 000 votes take several hours. From a psychological point of view this is not acceptable. People expect results as soon as the vote is closed particularly if it is a e-vote. They believe that is is only a simple count (which is far far from the truth) so the computer should be able to run it in a snap. Hence delaying results for several hours is suspicious for them. That is therefore not an option.

Other solutions than mixnet exist and in few years, e-voting will be part of our life. What I don’t know is how to convince people that the system is safe. I wonder how many people can read and understand a formal proof, probably not enough to convince the world. So one of the biggest challenge is to find a way one the system will be ready to make it accepted.

I hope that this little insight on the theoretical work beyond evoting have give you a taste of the future of evoting.

Thanks again to Pascal for his talk and see you next Sunday. I will talk about hardware this time :)

Jan 20

Iphone communication attack surface

in Analysis and production. Comments Printable version Printable version

Ever wonder how you Iphone is potentially vulnerable to attack ? Does leaving the bluetooth on or the wifi on leak information ? Does jailbreaking the iphone have an impact (Hint: yes)?

To answers theses question, I have run a couple of test on every Iphone communication channel namely:

  1. Inbound Net (TCP) Connections
  2. Out bound Net Connections
  3. Bluetooth communication
  4. Synchronization communication

To be the most accurate possible, I have run these tests on two iphone. A 1.1.3 freshly upgraded iphone (The one on the left of the photo), and a jailbreaked 1.1.2 one (The one on the right).

2iphone

 

 

Inbound Net Connections

I used Nmap for testing what service are open on each devices. First a good point, they do not answer to ping probe, neither the standard icmp or the TCP ping used by Nmap.

Firmeware 1.1.3

Nmap return the folowing result for the 1.1.3 iphone. As you can see, on port is open (62078) and the device is accuratly detected as an iPhone or a touch.

62078/tcp open unknown
MAC Address: 00:1E:52:04:B0:E3 (Apple)
Device type: phone|media device
Running: Apple embedded
OS details: Apple iPhone mobile phone or iPod Touch audio player (Darwin 9.0.0d1)
Network Distance: 1 hop

Firmware 1.1.2

When Nmap is launched against the 1.1.2 jailbreakded iPhone, the following result is returned:

Not shown: 65507 closed ports, 26 filtered ports
PORT STATE SERVICE VERSION
22/tap open ssh?
62078/tap open unknown
MAC Address: 00:1C:B3:3E:00:2A (Apple)
Device type: phone|media device
Running: Apple embedded
OS details: Apple iPhone mobile phone or iPod Touch audio player (Darwin 9.0.0d1)
Network Distance: 1 hop

As you can see, an extra port is open (port 22) and 26 ports are announced as filtered. I am not sure why they are filtered. It might be my wireless network, the fact the iphone might have been turned off, or they are really filtered which seems unlikely. Other blogs report, random filtered port also.

As you can see, jailbreaking the iPhone open a port (used to upload software and execute command). This is not an issue because openSSH is used for secure access all around the world even on sensitive server. What is an issue, is people who jailbreak their iPhone and then leave the default password (”alpine” if you want to know). So either you turn off the ssh server (you have an applet for that) or you change the password. Brute force attack against iPhone ssh server is still possible but with the appropriate lengh it should be reasonnably secure to leave it on.

What about the mystery 62078 port ? Well, this a feature introduced by apple :) This port is used internally for sync purpose. This rise the following question: Since there is no wireless syncing why this port is open on the wirless interface ?

Outboud Net connections

Outbound connections are mostly done through Safari. Therefore, I looked at the headers sent by the Iphone will requesting a page to see what information are sended by the iphone. I did so by writing a little PHP script to analyze the posted variables.

iphone language

First, it is possible to know in which language your iphone is thanks to the HTTP_ACCEPT_LANGUAGE. There is a direct correlation between the iphone language and the HTTP_ACCEPT_LANGUAGE variable. When I switch my iphone to French the HTTP_ACCEPT_LANGUAGE change too.

Firmware version

Secondly, two variables where different between the two iphone. The USER-AGENT and the CACHE-CONTROL

Firmware 1.1.2 send this:

HTTP_USER_AGENT Mozilla/5.0 (iPhone; U; CPU like Mac OS X; fr) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/3B48b Safari/419.3

Firmware 1.1.3 send this:

HTTP_USER_AGENT Mozilla/5.0 (iPhone; U; CPU like Mac OS X; fr) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/4A93 Safari/419.3
HTTP_CACHE_CONTROL max-age=0

First of all, it is normal both iphone send a user-agent string that say they are indeed iphone. What bother me is the number behind the Mobile string (They are in bold). I guess they are firmware related because when I look at browser database there is only a limited number of iphone strings.

That may pose a security issue because it allows the target site to know if you are vulnerable to a certain type of attack or not. This is clearly not science fiction because as you may know the jailbreak technique is based on a flaw that affect safari. This flaw can also be used against you of course. Hence I don’t think that broadcasting firmware version is a good things. I dot see any situation where it can be useful.

Mail

Here the security is pretty strong. By default the communication for IMAP,POP and SMTP use encryption (SSL) by default.

Bluetooth

Last but clearly not least: The bluetooth stack. An often under look communication way, but many people leave it actually on.

First remark about it: It is hard to switch it on/off because it is buried on the general setting, so most people will likely let it on.

Edit (11 march): As pointed out by Paul in the comment the bluetooth switch from discoverable to hidden when you close the menu. Therefore my second remark was unjustifed.

Second remark, There is two way to have bluetooth on: either on and hidden or on and discoverable (other device can see you). In the iphone you have no choice, when it is on you are always discoverable. Here clearly simplicity was not a good idea.

For bluetooth analysis I used btcrawler. A bluetooth scanner for windows mobile made by c0rnholio’s. Sadly due to a german law, this soft is no longer available or updated (fortunately I still have a copy of it).

First of all, the two iphone does not see each other. That was expected.

Secondly when the iphone is discoverable, it is possible to scan it: Here is a screenshot of BTcrawler scan result when the bluetooth is turned on:

Screenshot 35

 

We clearly see that the first one is called “iLight” (1.1.2) and the other is called “Iphone de elie” (1.1.3). This is the exact name that you use to name your iphone.

More subtle both bluetooth address start with 001. I am not sure that there is a mac prefix for bluetooth device but It might be worth to checkout.

I went to a step further and scanned what service was available, by bluetooth.

Screenshot 47

There were many bluetooth services (that is expected), but I don’t know what the IrMCSyncService is for. Maybe Sync over bluetooth ? But as far as I know that is not possible ….

Having the bluetooth enable give too much information. Because it is constantly broadcasting information, it can be used to track you by the bluetooth mac. Moreover bluetooth attack exists, so that is definitely something to consider.

Sync port

This time, I hadn’t done all the tests my self (due to a lack of time) but it appears that sensitive information transferred between Itune and the iphone are encrypted using SSL. You can also see the sync from the inside by dumping packet on the local interface during the sync (remember the famous 62078).

Food for thought

This analysis is far from complete. Here are some point that I hadn’t check.

  • It might be possible that the iPhone “phone home” while getting online.
  • When accessing Itune store, some information such as unique id might be sent.
  • While accessing apple page, some additional data might be sent
  • Itune when downloading firm wire or synching the iphone might send data.
  • Why the bluetooth is always set to discoverable and have a sync service ?

As far as goes this analysis, I can say that Apple have cover pretty well the TCP/WIFI part of the iphone. For the bluetooth part and the user agent string I am more dubitative, I am not sure if it is intentional or if they run out of time before the release.

This quick study also gives clues that the wireless sync will come sooner or later: The 62078 port available on the wifi interface and the bluetooth service seems pretty intentionnal.

« Older Entries