The Swiss Postal Voting Process and its System and Security Analysis - E-Vote-ID – The...
Transcript of The Swiss Postal Voting Process and its System and Security Analysis - E-Vote-ID – The...
© 2019 UZH, CSG@IfI
The Swiss Postal Voting Process and its System and Security Analysis
Christian Killer and Burkhard StillerDepartment of Informatics IFI,
Communication Systems Group CSG, University of Zürich UZH[ killer ¦ stiller ]@ifi.uzh.ch
4th E-Vote-ID 2019 E-VOTE-ID, October 1-4, 2019, Bregenz, Austria
1
IntroductionRemote Postal Voting
Threat and Risk AnalysisConclusions
© 2019 UZH, CSG@IfI
Introduction – Advertisement
2
Swiss public initiative on a “Secure and trusted democracy”
© 2019 UZH, CSG@IfI
Proposed Law
... if it is guaranteed that at least the same security againstmanipulation exists as in the case of hand-written voting ...
3
© 2019 UZH, CSG@IfI
Comparing “Systems“
4
© 2019 UZH, CSG@IfI
The Swiss RPV Case
The Swiss RPV is fragmented and difficult to generalize, due to federalism in Switzerland, autonomy, and involvement of many external suppliers
Goal: To identify weaknesses of RPV to allow for “hardening” of the RPV through security and risk assessment.
– Disclaimer: Focus on generalization, may not cover all cantons and processes exactly, leaves room for exceptions.
– Many exchanges with Swiss authorities and external suppliers
5
© 2019 UZH, CSG@IfI
RPV From a Voter’s Perspective
6
© 2019 UZH, CSG@IfI
PVPF: Postal Voting Process Flow
7
© 2019 UZH, CSG@IfI
Federal Government
?? ?
?
Federal ChancelleryCantonal GovernmentMunicipality
Municipal Election OfficeEligible Voter
The Swiss Post
External SupplierSecurity Threat
Identification of Stakeholders
8
© 2019 UZH, CSG@IfI
PVPF Phases
Divided into phases A to G with various stakeholders
9
PVPF: Postal Voting Process Flow
Federal GovernmentFederal ChancelleryCantonal GovernmentMunicipality
Municipal Election OfficeEligible Voter
The Swiss Post
External SupplierSecurity Threat
© 2019 UZH, CSG@IfI
PVPF in Detail
10
PVPF: Postal Voting Process Flow
© 2019 UZH, CSG@IfI
A: Setup, B: Delivery
11
© 2019 UZH, CSG@IfI
A: Setup, B: Delivery
12
TE2: ER master recordsTE3: ER snapshot data
TE4: Forge physical artifacts
TE5: Steal assembled VEs before dispatch
TE1: Delay production of physical artifacts
TE6: Re-route VEs
TE7: Steal VE from voter letterboxes
THREAT EVENTS
© 2019 UZH, CSG@IfI
PVPF in Detail
13
PVPF: Postal Voting Process Flow
© 2019 UZH, CSG@IfI
C: Casting, D: Storage, E: Tallying
14
© 2019 UZH, CSG@IfI
C: Casting, D: Storage, E: Tallying
15
TE8: Steal casted VEs from municipal letterbox
TE9: Re-route VEs
TE10: Cast stolen or forged VEs
TE11: Access stored VEs
TE12: Manipulate tallying
TE13: Manipulate final tally
THREAT EVENTS
© 2019 UZH, CSG@IfI
F: Validation, G: Destruction
16
© 2019 UZH, CSG@IfI
F: Validation, G: Destruction
17
TE13: Initiate premature destruction
THREAT EVENTS
© 2019 UZH, CSG@IfI
Recalling the Comparison
18
© 2019 UZH, CSG@IfI
Conclusions
19
Heterogeneous Processes
Physical Decentralizaton
Substantial Trust in Third
Parties
Distribution of Trust
© 2019 UZH, CSG@IfI
Thank you for your attention.
Many thanks are addressed to Anina Sax, Annina Zimmerli, Dr. Christian Folini, Melchior Limacher, Marco Sandmeier,
and Dr. Benedikt van Spyk for their valuable input.
20
© 2019 UZH, CSG@IfI
Backup Slide
21
© 2019 UZH, CSG@IfI
PVPF in Detail
22
PVPF: Postal Voting Process Flow
© 2019 UZH, CSG@IfI
Future Work
Adapt the PVPF more cantons, which will allow a more granular level and identification of realistic Threat Events
Inquiry of deployed proprietary tools is in progress, in active discussions with Suppliers and Authorities
23
© 2019 UZH, CSG@IfI
RiskAssessment
What would an adversary really do?
24