REPUBLIQUE
ET CANTON
DE GENEVE

 

Ge.ch > Thèmes > Citoyenneté > Votations - Elections > Votations > E-Voting > Security

Different views on eVoting · Security

1. The polling station an inspirational model
2. The conditions of security
3. It should not be possible to intercept, alter nor hijack electronically cast ballots
4. It should be impossible to read the content of electronic ballots before the official ballot counting procedure
5. Only registered voters must be allowed to vote
   Each voter has only one vote and can vote only once
6. It should not be possible in any case, even the during ballot counting, to link a vote and a voter
7. The voting web site must be able to resist a denial of service attack that could lead to server saturation
8. Voters must be protected against identity theft
9. The challenges
   The number of cast votes must be equal to the number of votes received. Any difference must be explained and corrected
10. It should be possible to prove that a given voter has voted
11. The system shall not accept votes outside the ballot opening period
12. It should be possible for the authorities in charge to check the proper functioning of the system
13. Conclusion

 

1. The polling station, an inspirational model

Since the introduction of vote secrecy, in 19th century, the question of safety - understood as control of each person’s right to vote, guarantee of vote anonymity and secrecy, transparent ballot counting and faithful transcription of the popular will - lies at the heart of the concerns of the authorities in charge of ballots. The current shape of the polling station reflects these concerns.

The French classic tragedies of the 16th century, the plays by Racine or Corneille, were built on the unity of place, time and action; similarly the polling station reunites in a unique setting the voters’ identification, the vote and the ballot counting. These three operations, crucial for the ballot proper management, take place in a perimeter that is totally controlled by the administration, often with the help or under the control of representatives of the political parties which ensure its neutrality.

The challenge of electronic voting is to preserve this controlled perimeter in order not to undermine the guarantees given to the citizens.

In this respect voting machines introduce an important vulnerability in the overall system design. Although these machines are placed in polling stations, their number makes it problematic to thoroughly audit each of them prior to any ballot. Besides, is hardly seems possible to find educated staff to properly operate them in every single polling station, without any wrong manipulation. So, although they rest within controlled geographic perimeter - the polling station - these machines decrease the control which the administration holds on the voting operations.

What about internet voting? The existence of a single CPU (in fact several coordinated servers) allows recreating a controlled perimeter. In Geneva, these servers are installed in the State’s surest computer room, in the basements of the Police headquarters. The physical access to the room is tightly controlled; only a small number of technicians are authorized to enter these premises. There is only one network access to the servers, via a dedicated optical fibre. This link is only activated during ballots.

The user is being challenged before being allowed to connect on the voting site, in order to verify his voter's status. The guarantee of anonymity, the secrecy of the vote and the transparency of the ballot counting process rely on the system’s architecture and the procedures described below.

For lack of being able to control the network, the State codes the data in a way that makes them illegible and unusable by a third party, whoever it is. This unbreakable encoding rests on encryption keys generated by pure random numbers generated by a quantum machine.

There remains an "actor" outside the controlled perimeter: the voter’s PC. There are several ways to master it. Geneva has chosen to send a Java applet to the PC in the voting session opening phase. This applet remains on the server (it is not downloaded to the PC) and thus never leaves the controlled perimeter. This small program verifies the execution of the vote transaction, encrypts the data which circulate on the web and prevents viruses or Trojan horse which might be in the PC to perform their dirty job, whether invalidating the vote or spying its contents. This applet also protects the voting right of online vote users, because it prevents manipulations which would make a vote illegible, disenfranchising the voter.

It is therefore possible to say that internet voting recreates the polling station paradigm by allowing in spite of the distance the control by the electoral authorities on a set of essential procedures and by allowing the popular control by delegation over the ballot counting procedure. In this, internet voting is distinctively safer than the other remote voting channel, postal voting, which does not provide for example a guarantee that each sent vote is indeed received or counted.

This article details the measures taken within the framework of the Geneva internet voting project to implement the controlled perimeter and protect the internet users’ voting rights.

2. The conditions of security

Internet voting must be simple and fast for the user while providing a high level of safety. The operational translation of this double requirement is explained in the following eleven "commandments":

1. It should not be possible to intercept, alter nor hijack any electronically cast ballot.
2. It should be impossible to read the content of electronic ballots before the official ballot counting procedure.
3. Only registered voters must be allowed to vote.
4. Each voter has only one vote and can vote only once.
5. It should not be possible in any case, even the during ballot counting, to link a vote and a voter.
6. The voting web site must be able to resist a denial of service attack that could lead to server saturation.
7. Voters must be protected against identity theft.
8. The number of cast votes must be equal to the number of votes received. Any difference must be explained and corrected.
9. It should be possible to prove that a given voter has voted.
10. The system shall not accept votes outside the ballot opening period.
11. It should be possible for the authorities in charge to check the proper functioning of the system.

We will examine here, commandment by commandment, the measures we have taken in Geneva to implement each one.

3. It should not be possible to intercept, alter nor hijack electronically cast ballots

The respect of this commandment defines the architecture of the system. What is at stake here is the protection the communication between the citizen and the voting server by implementing several measures that act as many superimposed layers.

The basis: a SSL connection

A connection based on the secure communication protocol SSL128 ("Secure Socket Layer”) is established between the voter’s PC and the server. This protocol encrypts the communications exchanged with internet servers working according to public key infrastructure (PKI). In PKI, a trusted third party associates a "digital certificate" to the server. This certificate guarantees the identity of the server. Within the framework of internet voting, this certificate is renewed every three months or even more frequently. This rate corresponds to the interval between federal ballots. If several ballots take place during this period, they will use the same certificate.

Currently, the SSL 128 is based on encryption keys of 128 bits of length. As all PC do not necessarily manage this key length, the system may install the key on the PCs for the duration of the voting transaction.
The voting servers are authenticated by a digital certificate generated by the State of Geneva. Citizens can check that a secure connection is being used by making sure that there is a padlock shown at the foot of their computer screen. Besides, they can control the certificate’s digital fingerprint which is reproduced on the voting card. Citizens are invited to perform this control by a specific message.

The secure channel, the exclusive safety complement

Inside the SSL connection we build for the duration of the voting session a specific secure channel using the latest headways in applied cryptography, quantum numbers.

At the beginning of the session, the voter supplies his voting card number, which changes for every ballot. Thanks to this number, a symmetric session key is negotiated between the server and the voter’s PC. All the sensitive elements of the transaction will henceforth be highly coded thanks to this key: vote intention, authentication data, code of control etc. The key’s life cycle is the duration of the voting session.

The voting card number activates a Java applet on the voting server. This applet stays on the server and thus never leaves the controlled perimeter. It verifies the execution of the voting transaction codes the data circulating on the web and prevents if necessary viruses or Trojan horses present in the voter’s PC to perform their dirty job, whether invalidating the vote or spying its contents. Among its functions, this applet also protects the voting of online vote users by preventing any manipulation which would return an illegible vote and disenfranchise the voter.

Servers’ architecture

Several servers’ types are involved in internet voting:

• The Geneva State main server gives access to information on the ballots. This server contains no link to other servers. The voter has thus to type the complete voting site address to avoid the diversions towards pirates sites.
  
  
• The internet pages server, protected by the SSL certificate, is mastered by the State. Its configuration has been hardened and optimized. It is accessible only during the voting periods; outside these, an error message is displayed.
  
  
• The application server, also mastered by the State, its configuration hardened and optimized, hosts the vote-specific applications as well as a share of the encoding algorithms used by the secure canal.
  
  
• Finally the database server is also mastered by the State and its configuration has been hardened and optimized. It contains the voters' register and the electronic ballot box including several mechanisms for confidentiality and control of integrity.

This secure architecture of in depth defence, whose constituents are all controlled by the State, is considered to be state of the art architecture as far as security is concerned. It respects and surpasses all the good practices in the field.

Internet and domain names

Internet navigation depends on domain names server, or DNS, which are the signposts of the internet. The DNS update is forced to an increased frequency: they are refreshed every few minutes instead of every few days. Any attempt of diversion will be at once discovered and countered.

Furthermore, the following mechanisms guarantee the citizen he is in a dialogue with the legitimate web server of the State of Geneva:

1. The voter can compare the voting server's digital certificate fingerprint with the imprint reproduced on his voting card. If these two imprints do not match, voters are instructed to terminate the voting session and call the helpdesk.
   
   
2. An "automatic" check of the server’s identity is performed during the voter’s authentication phase. When the system asks the voter his identifiers, it displays a unique alphabetic code reproduced on the voting card and linked to the card number.
   
   Only the State’s server can associate a given voting card number with the corresponding alphabetic code. This code is treated as an encoded image. It can neither be read nor reproduced by a third party spying the data flows on the internet. If by any chance the code shown on the screen doesn’t match the code printed on the voting card, the voter is instructed to terminate the voting session and call the helpdesk.

4. It should be impossible to read the content of electronic ballots before the official ballot counting procedure

To enforce this principle, the system specific servers are installed in the safest computer room of the State of Geneva, in the basement of the police headquarters. Access to this room is regulated by the police own safety rules. Only a small number of technicians are authorized to penetrate these premises, and never alone. Network access is limited to a single entry via a dedicated optical fibre which constitutes the only link with the web. This access is only activated during the ballots.

Thanks to the PKI architecture, every vote is individually coded by an asymmetric encoding key held by the controllers appointed by the State government upon proposal by the political parties. There is one controller for every political party. Their role is to ensure the democratic control of ballots. The public key is inserted into the application and is used in a transparent way by all citizens to code their vote. The private key is used to read the ballots. It is protected by two passwords defined by the controllers and known by them only. Without the controllers, who represent by delegation all the citizens, it is impossible to count the contents of the electronic ballot box.

Besides, the vote encryption realized by the symmetric session key (the secure canal) is being kept during the storage in the electronic ballot box. Votes are thus preserved in a double coded envelope until their counting.

For every question in a referendum, there are only three possible votes: "yes", "no" or blank. With so few possibilities, the code could be easily discovered. Therefore, every vote is completed by an arbitrary text before encoding to make the encoding inviolable. The problem is similar, yet less sensitive, for elections. There also, the vote secret is guaranteed by adding an arbitrary text to the eBallot paper before encoding.

5. Only registered voters must be allowed to vote
Each voter has only one vote and can vote only once

These two commandments are linked and complement each other. You cannot take one into account without implementing the other one too. The solution lies in the way a ballot is organized.

In Geneva, the inhabitants’ registry is centralized and computerized. This registry is constantly held up to date and it is the base for defining the list of citizens entitled to vote. Six weeks before a ballot, a voters’ register is extracted from the inhabitants’ registry; it determines exactly who is entitled to vote for the upcoming ballot.

Three weeks before the ballot day, that is the day when polling station open, every voter receives home a voting card, a ballot paper and the official documentation. The voting card is personal and can be used only for the upcoming ballot. This card embodies the voting right. It allows indifferently to vote online, by post or at the polling station.

To vote, citizens must fill their voting card with their birth date and sign it. Then, they can send it back by post with their ballot paper filled and sealed in a separate envelope. Or, if they prefer voting at the polling station, they can go there, hand back their filled card and slid their blue envelope in the traditional ballot box.

The voting card thus guarantees the principle "a man - a vote": when it is used, it cannot be used a second time.

To make internet voting as easy as the traditional voting channels, a PIN code hidden beyond a thin metallic layer is printed onto the voting card. This alphanumeric code is different for every voter and changes for every ballot. To insert his PIN code into the voting application, the voter has to scratch the metal film the way he would on a lottery ticket. The single vote is guaranteed by the fact that a scratched card is considered as having been used and does normally not allow to vote by another channel.

The voting card also contains a sixteen digits personal number which allows filtering the non-citizens “upstream” the voting procedure. This code is changed for every ballot. The chances to find by accident a valid number are one in a billion. A bar code corresponding to this personal number is scanned when registering the postal votes. This blocks the access to internet voting for the cards that have been scanned.

Voters who uncovered their PIN code but did not vote by internet can vote by post or at the polling station. Their status will be checked in the voters’ register before their vote is accepted.

6. It should not be possible in any case, even the during ballot counting, to link a vote and a voter

The anonymity and secrecy of the vote are guaranteed by three measures:

1. The electronic ballot box, which contains the encrypted votes, is not linked to the electoral register. The latter is common for all voting channels in order to prevent a citizen to vote twice, either by internet or by post.
   
   
2. The electronic ballot box is sorted in a haphazard way before being decrypted, which offers a protection against the misuse of log files. Indeed, it might be possible to reconstruct the order of arrival of the electronic ballots and break the vote anonymity by comparing this order with the date and time of each vote.
   
   
3. The electoral register used in the system does not contain names but only numeric identifiers. Accessing this register would not allow to know the voters' identities.

7. The voting web site must be able to resist a denial of service attack that could lead to server saturation

To protect the system against a denial of service attack or a massive attack, we integrated into it probes that report unplanned events. They notably react when:

• The same IP address requests too often the same page;
• Systematic attempts of identification are noticed;
• Abnormal and not foreseen requests on certain pages are made;
• Equipment breaks down (servers, disc system, firewall, network material);
• Software stops working (database);
• Abnormal modification of a file system is noticed;
• Unauthorized presence in the server room is noticed;
• etc.

When a probe is activated, the system automatically calls an operator and an emergency procedure is launched. These procedures were carefully planned with several degrees of intervention up to the highest level of the State.

According to the type of problem met, various levels of reaction are foreseen:

• The trouble is easily corrected, the authorities are informed but the ballot goes on.
• The problem endangers internet voting, it must be interrupted and the ballot continues by post and at the polling station.
• Erroneous votes were recorded and cannot be eliminated. It is necessary to cancel all internet votes and send new voting cards to voters having cast a ballot online. This is the equivalent of receiving a mail bag containing falsified votes.
• In the worst case, it would be necessary to stop the internet vote and continue only in the polling station. This is the equivalent of a complete blocking of the post offices, or worse of the destruction (by fire for instance) of postal votes.

Similar procedures are already foreseen for postal vote. In this respect, internet voting does not create new risks.

We also set very carefully all pieces of hardware (routers, servers, firewalls, etc…) in order to prevent the hardware from reacting to unexpected commands. Anything you do from your PC that is not coherent with a normal voting session will provoke no reaction from the system or event end the voting session. This way, would-be hackers cannot gather information on the system.

8. Voters must be protected against identity theft

The best way of protecting voters against any attempt of identity theft lies in the implementation of a strong authentication mean. We have envisioned the use of a PKI infrastructure where we would have handed every citizen a smartcard or a USB key containing his personal digital ID. Because the Confederation is currently conducting studies on this issue, Geneva waived this idea until citizens would be issued a federal identifier.

For the time being, the following measures are taken:

1. The length of the identification number is in itself a protection against attempts of systematic fraud. Indeed with sixteen digits, when only four are necessary to identify the ballot and six to identify the voter, there is only a chance on a billion to find a valid number for a ballot and so get access to the voting server. A massive attack has therefore only little prospects of success. Besides, the session is interrupted if the digits composing the identification number are typed at a speed of a digit every second or quicker. Finally, this number is randomly awarded to voters.
2. The file containing the information relative to the voters together with their codes never leaves the State premises. It is stored in an encrypted way and a dozen persons would need to cooperate and breach the law to get hold of this file.
3. The challenge presented to voters in the authentication phase combines an element which the voters possess, their PIN code, and two information they detain, their date of birth and municipality of origin. There is no public register for this two information. It is thus very difficult to vote for a third party. Possessing someone's voting card is not enough.

Besides, the following controls are made automatically:

• In the case of postal vote, every voting card that we receive back with a ballot paper is controlled to make sure it is signed and the birth date is correct. Should it not be correct or should the signature be missing, the whole voting material would be sent back to the voter. This situation occurs 2000 to 4000 times for every ballot. As citizens' reactions can indicate an attempt of fraud, they are carefully analyzed.
• Some 1000 signatures are compared with the signatures received for previous ballots. Any important difference is analyzed.
• For elections, 4000 to 8000 citizens are called on the phone to make sure they voted themselves and freely.

So far, we never came across a single forgery case.

9. The challenges
The number of cast votes must be equal to the number of votes received. Any difference must be explained and corrected

Any difference between the number of electronic ballots stored in the electronic ballot box and the number of voters who voted by internet indicates a system failure and would create doubts in the final ballot result.

In order not to lose any information, all the servers are replicated. The database itself is stored on a secured disk system (dual disk). All connection equipments are replicated.

To ensure the simultaneity of the vote and voter recording (the recording of the fact that a given voter has cast his ballot) we use the Oracle transactional database system. It ensures that both information are written simultaneously in two distinct databases, after having checked that the voter hasn’t already voted. The system also sends voters a confirmation of the recording of their vote.

10. It should be possible to prove that a given voter has voted

One of the differences between electronic voting and eBanking lays in the fact that, in the former, it is impossible to give the voter a proof of his transaction. In eBanking as in any other eBusiness transaction, the user can see the result of his action by receiving the goods he ordered, or by seeing his account’s position. In the vote procedure, giving a formal proof of the ballot content is contrary to the principle of anonymity and secrecy of the vote. It is however possible to give a receipt for the registered vote.

For that reason, at the end of the voting procedure, a confirmation page is displayed. Citizens can print it. The page indicates the day and time of the vote.

At any time during three weeks during which the ballot is open for remote voting, voters can log again into the voting web site and call this page again. They just have to insert their identification number. As the system registers internet and postal votes, it will reply by indicating the channel used to vote and the date and time of the vote recording.

11. The system shall not accept votes outside the ballot opening period

The internet voting web server is only connected to the network for a limited period of time which, according to the law, begins three weeks before the ballot and ends the Saturday before the ballot itself, at 12:00 am. The disconnection is realized by the server and by the network firewalls. Automatic processes insure the synchronization of machines and the management of this connection.

12. It should be possible for the authorities in charge to check the proper functioning of the system

In Geneva, every electoral operation is supervised by the controllers appointed by the State government upon proposal by the political parties. There is one controller for every political party. To control the proper functioning of the system, the controllers are provided with an electronic test ballot box, “control” voting cards and paper ballots. The controllers have to emit double control votes: they vote once online and record on paper what they voted as well as the number of the voting cards they used to vote.

When the ballot closes, these test votes are decrypted and counted by the controllers themselves. The result of the electronic counting is compared with the result of the paper votes’ counting. These two counts must be identical. The results stemming from this control are excluded from the official results.

As the test electronic ballot box is identical to 68 official electronic ballot boxes corresponding to the Geneva 68 polling stations, this process proves the end-to-end proper functioning of the eVoting system.

13. Conclusion

Today, the internet voting system developed by the State of Geneva fulfils the indispensable security requirements. It is safer than postal voting and even safer than some eBanking applications.

We will go on reflecting on the improvements we can make and implementing them to keep the same quality in a technologically evolving world.

The system fulfils the condition for the legitimacy of ballots for the following reasons

1. The State of Geneva owns the system and takes full responsibility for its functioning. In particular, the State doesn't depend on external companies for the system's maintenance.
2. We have formalised the processes associated with the organisation of a ballot, from the decision to organise it online until the results' validation. We have produced documents listing these procedures, to make it possible for the controllers to supervise the whole process.
3. Audits are performed on a regular basis.

These measures allow for a democratic control, even though only a fraction of the voters' has the knowledge necessary to fully understand the technicalities of the system. After all, the number of citizens who prevail themselves from the right to attend ballot reading in the polling station is very limited too.

Rév : July 2007