The Punchscan Voting SystemRefinement and System Design

Rick CarbackKevin Fisher

Sandi Lwin

May 8, 2006

New and Significant

• Punchscan implementation with current technology– requirements of hardware and software– Verification of software

• Data flow

• Interfaces

• Security properties of the system

Outline

• Punchscan Revisited

• System Design

• Data Flow

• Hardware and Software Components

• Interfaces

• Security Properties

• Conclusion

Punchscan Revisited

Punchscan Revisited

• Mark the hole with the character matching your choice.

• Split the two sheets. Scan one, shred one.

The Punchboard

Before the election, tables are generated like the ones above.

The Punchboard

Before the election, this is posted on the bulletin board. The grey boxes cover up how the ballots look

and are decoded.

The Punchboard

Next, the auditor chooses half the rows.

The Punchboard

After the election, officials fill the tables and release receipt halves.

The Punchboard

Auditors choose to reveal the left or right half of Decode.

System Design

Meet the Weebles!

Stage 1: Initialize Election

Stage 2: Pre-Election

Stage 3: Election Day

Stage 4: Post-Election

Data Flow

Data Flow

Hardware and Software

Ballot Authoring Software

• Operation–Defines how Ballot looks–Gives questions in required languages

• Low security–Works only with public data–Output independently verified on webserver –Access to webserver should be turned off after data is uploaded

Printer

• Must use secure paper

• Cannot keep ballot information–data fed to printer must also be destroyed/erased.

• Must fold the paper and punch the

hole in the top page.

Scanner

• Must be properly calibrated

• Only sends positions to the web server,

nothing else.

Shredder

• Must completely destroy the

half of the ballot the voter discards–Crosscut shredder–Incinerator

Web Server

• Needs load balancing to avoid DoS

• Needs strict access controls– Essentially all the things you would do to secure any web server on the Internet

• Database should be protected

• Has implications to voter confidence…

Diskless Workstation

• Permutation generation

• Generate printable ballots

• Encrypted with printer’s key

• Ballot counting

• Software verification

• Boots and runs software from

Linux Live CD

• Use hashing

• Computer with no hard drive

• Does not save data between meetings

Interfaces

Interfaces

• XML

• USB

• SQL Queries

Security Properties

Security Properties

•Subliminal Channels

•Scanner only records positions •Social Engineering

•Simplicity is the Key

•Denial of Service•Scanner Calibration Attack•Destroy Vote before Scanning Phase•Destroy equipment (scanner / Internet connection)•Destroy paper ballots•Spoil Punchboard•Spoil Printed Materials

Future Work

Future Work

• Implement defined elements with modern hardware and software

• Expand security discussion into formal attack tree

• Invite discussion, analysis from e-voting community

The End