The report is available here: audit-final-06.pdf
An Internet Voting System Supporting User Privacy
Aggelos Kiayias, Michael Korman and David Walluck
22nd Annual Computer Security Applications Conference (ACSAC 2006), IEEE Computer Society 2006, pp. 165-174.
December 11-15, 2006, Miami Beach, Florida, USA www.acsac.org/
This work introduces the ADDER system , an Internetbased, free and open source electronic voting system which employs strong cryptography. Our system is a fully functional e-voting platform and enjoys a number of security properties such as robustness, trust distribution, ballot privacy, auditability and verifiability. It can readily implement and carry out various voting procedures in parallel and can be used for small scale boardroom/department-wide voting as well as largescale elections. In addition, ADDER employs a flexible voting scheme which allows the system to carry out procedures such as surveys or other data collection activities. ADDER offers a unique opportunity to study cryptographic voting protocols from a systems perspective and to explore the security and usability of electronic voting systems.
State of Connecticut’s Moderator’s Handbook (2006)
Security, Storage & Transportation of Ballots & Tabulators to and from Polls
From the time the tabulators, memory card and ballots are received, they should be stored in a locked storage location not generally accessible. A log should be maintained of all persons having access to that storage location. The log should show the names dates times and purposes for all persons having access to that storage location.
Pre-election testing and sealing of memory card & tabulator
At the conclusion of the pre-election testing of machines, the memory card should be inserted in each tabulator and secured with a numbered seal. That number should be recorded on the pre-election testing report. A copy that report should be given to Town Clerk. The Clerk should give a copy of this report, including the number of the memory card seal number, to the Moderator when she picks up her supplies the day before the election.
The tabulator should be place in the bag in which it will transported to the polls. A second numbered seal should be attached to the bag. The bag should also have a label identifying the polling place to which it is assigned.
We present an independent security evaluation of the AccuVote Optical Scan voting terminal (AV-OS). We identify a number of new vulnerabilities of this system which, if exploited maliciously, can invalidate the results of an election process utilizing the terminal. Furthermore, based on our findings an AV-OS can be compromised with off-the-shelf equipment in a matter of minutes even if the machine has its removable memory card sealed in place. The basic attack can be applied to effect a variety of results, including entirely neutralizing one candidate so that their votes are not counted, swapping the votes of two candidates, or biasing the results by shifting some votes from one candidate to another. Such vote tabulation corruptions can lay dormant until the election day, thus avoiding detection through pre-election tests.
Based on these findings, we describe new safe-use recommendations for the AV-OS terminal. Specifically, we recommend installation of tamper-resistant seals for (i) removable memory cards, (ii) serial port, (iii) telephone jacks, as well as (iv) screws that allow access into the terminal’s interior; failure to seal any single one of these components renders the terminal susceptible to the attack outlined above. An alternative is to seal the entire Optical Scan system (sans ballot box) into a tamper-resistant container at all times other than preparation for election and deployment in an election. An unbroken chain of custody must be enforced at all times. Post-election audits are also strongly advised.
Read the rest of this entry »