This utility takes an audit trail generated by a vote3fe frontend and verifies that it meets some fundamental consistency properties. In particular, it verifies:
- That the server asserts that there are a particular number of entries, and that the number of entries match the assertion.
- That all the digital signatures on the entries verify.
- The hash chain verifies.
It also prints out timing information from the signatures, so you can check that voting happened in the expected time period and not before or after.
VAT does not require a local installation vote3 - you can verify an audit trail without installing anything. It runs without any external dependencies, and on Python 2 or 3. Verify an election today!
You can verify an audit trail with vat.py.
It will attempt to use the system's GPG. If GPG isn't found (maybe you are on Windows?) it'll just skip verifying the signatures.
To run it, go:
python vat.py http://server/vote/audit
where server is the address of the server running the election.
It will complain if you have GPG but don't have a copy of the Vote3 signing key locally: ask your friendly returning officer how to get it. (You don't get a copy when you download this because it's generated at random each time Vote3 is installed, otherwise it would be of no security value.)
Verification protects you against two things.
Firstly and primarily, it protects you against inadvertent programming errors in the Vote3 system and in vote counting systems by providing you with enough information to reconstruct the vote database and verify the vote count. In this capacity, the hashes and signatures are simply a way to be more certain that the operations occurred in the order specified.
Secondly, it protects you against a monkey-in-the-middle attack - an attacker who sits on the network in between you and the vote3 server has no ability to carry out undetetable attacks.
The audit trail should not be considered to provide protection against an untrustworthy administrator, or anyone who has a copy of the Vote3 private signing key. The properties of the system make pulling off an attack as a malicious administrator harder (or at least easier to detect) although this is not its primary purpose.
Verification proves that the attacker without access to the signing key cannot:
- Add an entry
- Remove an entry
- Modify an entry
- Make an undetectable change to a vote in transit.
An attacker with access to the signing key (e.g. a malicious administrator) can in theory do any of those three things, but they have a higher chance of being detected.
We assume that the voter/verifier has a clean copy of the Vote3 signing key.
We consider an attacker with active MITM (monkey in the middle) capabilities, and show that any of the 4 attacks (except removing the final message) require one or more of the following underlying attacks:
- forging a PGP signature
- forging multiple PGP signatures
- finding a SHA-384 pre-image for a given hash
- finding a SHA-384 collision for a given hash
Consider adding an entry. Here we assume the attacker notices that the audit trail is being downloaded, and replaces the true audit trail with an audit trail of their own:
- Adding an entry at the end is the easiest. An attacker calculates the SHA384 of the previous message, then writes their own message. They have to forge the signature on both that message and the count message.
- Adding a message mid-stream is harder. There are two possibilities:
- Create an arbitrary message and sign it. This will cause the hash to fail in the subsequent message, so every subsequent message will need to be modified and resigned. This means that the attacker must forge multiple PGP signatures.
- Create a message such that it matches the expected hash. This requires a pre-image attack on SHA-384 and the forging of a signature.
Consider modifying an entry:
- The attacker must forge a PGP signature.
- The attacker must also either:
- modify every subsequent message and forge their signatures too, or
- find a collision on the SHA-384 hash such that their modified message has the same hash as the original.
Consider removing an entry:
-
Truncating the stream is actually possible. The attacker can simply keep a copy of an old capstone message and provide it; thus tricking the reciever into believing there are any number of messages less than the complete number of messages. Manual verification that an election is opened and closed within the audit stream is required.
-
Removing an entry midstream is harder. The subsequent messages have to be rewritten and resigned, and a new capstone entry has to be forged.
- that the content of the messages is as expected - e.g. the election is not changed midway through, and is opened and closed as expected.
- etc.
This is not a comprehensive list.
- That the RO didn't keep votecodes to him/herself and use them to vote in the election.
- (With the current configuration) That the adminstrator isn't doing anything dodgy.
Here are some samples! Note that they don't form a complete hash chain, and you won't be able to verify the signatures.
This is an initial entry:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vote3 Voting System - Audit Trail
=================================
This is the initial entry in the Vote3 voting system audit trail.
This message should be GPG signed with the Vote3 voting system GPG
key. If it is not signed, or the signature does not verify, then the
integrity of the voting system may have been compromised.
Vote3 makes use of a hash chain to ensure the insertion, deletion or
modification of messages can be detected. The next message in the
audit trail must contain a SHA-384 hash of this message (including the
signature), encoded as UTF-8. If it does not contain a hash, or the
hash does not match the hash of this message, then the integrity of
the voting system may have been compromised.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUFo04AAoJEEL2Tq0PnDwibeUH/AjTK2AMCfq1rbzhhTVi0LgS
BkHzzr/Fgq5boXZSw9hbPmwauv9Y0VWpYnlsjZpj7zIJ/bmX2pzNN96N3/UvMKsR
i5x4AiBzqDgCArQ6hKAvbT7la5RJGLo0K121aLzs+ev0OLrP+K2tONFNznEwRDdu
VVqE9DEE4T0zZl9+IkceevcptlsxockdOvoy/ju5FUY898D4xYI+3JPdMmnlLcg3
vbzVGo6u9Yn8w+/x0Qd8QZPht/uAKA5ybVVqHfiva3LF8Jln54zuc2t46MPmUuMc
NCMEl9BkZqPh0i4oPS/AsDEpSv8/1BtltR/wR0SkLPX+lYFLM3EoUt6UykbpuwE=
=seBG
-----END PGP SIGNATURE-----
This is the entry immediately following (so you can verify that the SHA384 of the previous message matches the one specified here):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vote3 Voting System - Audit Trail
=================================
A candidate has been saved in the Vote3 system. This may be a new
candidate, a modification to an existing candidate.
ID: 1
Name: Cleaver Greene
====
This message should be GPG signed with the Vote3 voting system GPG
key. If it is not signed, or the signature does not verify, then the
integrity of the voting system may have been compromised.
Vote3 makes use of a hash chain to ensure the insertion, deletion or
modification of messages can be detected.
The hash of the previous message is:
41446dc39bc5e43527c3abec1534b2f2496d23000e73fdfc156ef1da0ca8fdca439b8ec91977954ba091873beea4116d
The next message in the audit trail must contain a SHA-384 hash of
this message (including the signature), encoded as UTF-8. If it does
not contain a hash, or the hash does not match the hash of this
message, then the integrity of the voting system may have been
compromised.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUFo2jAAoJEEL2Tq0PnDwi/YoH/28NyZtsKxHdQbNMQJqbWjma
oizGYFXCbBh1lKpjTXq/XswyXATFZZAEOOpRiX9i/bN/hMrOrXEFLTVbYy2LhZDY
QGB4DUOq7JFdVE9telWiWOxW+/IpzljOaP2sBuUGfUzdmJb6vIgjUMwupBv2E5Sq
amVEOv+TndE7ZxTbEoB+auHO8IaeSK6CA3sb3g0VOmybuITG7MIIaUYnmbH3j5sB
aYUxaIwo4C75bUJ6nlpuXHat3El0k4DM47z0l7YkarCviJOE4LNARm8q5UgTFkd9
/OtxLLowpU1w7+RZPPO339CQcejEFOAYza+iErT6M2oYlMjj6d1MmIj2Qfg6VTk=
=SttJ
-----END PGP SIGNATURE-----
And here's a random vote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vote3 Voting System - Audit Trail
=================================
A vote has been recorded in the Vote3 system.
The vote was recorded for election 1: President of the Universe.
The vote code used was: PNXtsFjlm3e1YZ8YtzoY6A
To aid verification that the vote recorded matches the voter's
intention, a list of POST variables submitted is recorded below:
csrfmiddlewaretoken: FFPkKWPSxBvUibO0zb4yhA3mXJX3xpz8
candidate-4: 4
candidate-1: 3
candidate-3: 2
candidate-2: 1
Based on the submitted variables, the recorded vote was:
Barney (4): 4
Cleaver Greene (1): 3
David Potter (3): 2
Cal McGregor (2): 1
If you are the voter and this does not match your intention, then
something is wrong. Please alert the returning officer.
====
This message should be GPG signed with the Vote3 voting system GPG
key. If it is not signed, or the signature does not verify, then the
integrity of the voting system may have been compromised.
Vote3 makes use of a hash chain to ensure the insertion, deletion or
modification of messages can be detected.
The hash of the previous message is:
790c6c9e0439395048056982d08829faf58f66c03d66b41bc8ba805fa2acff7e003ab846637d3fdcdf883aa90f2942d7
The next message in the audit trail must contain a SHA-384 hash of
this message (including the signature), encoded as UTF-8. If it does
not contain a hash, or the hash does not match the hash of this
message, then the integrity of the voting system may have been
compromised.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUFo6kAAoJEEL2Tq0PnDwiu4sH/AlAoo9npolCqWuHFNXLgmFj
IZ1AiQlxofDwl99SlEwnubp0QBQzDjJXImnW5BW6XFVAHYCAZfQkQ/Ee0dVMiRNL
1GguLBMwuH8gdtkCHUB2w3PyVleQtCBs1ptgBeU9oOur93alYcxtytoEBbrYoVGJ
nFA61ymfEUc/PE83nVPcCXn4IAArfuFyDAdczmujWGePFqTb+KCp/MZ8CVqtSNpH
duLT+Z7gF1gINvqGDIAaEuOgyKKxmIuSiaeSKDz7XfUcCE2MPYWVON51ucgTCLay
BXzGSEAIFWqMR0ZgTaPKeXW6e6rwcv6OGESzVRXVaaaAx1SL8x2057vdNeIAl6M=
=4+CH
-----END PGP SIGNATURE-----
Here's the final/count/capstone entry:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vote3 Voting System - Audit Trail
=================================
This is the count entry for the Vote3 voting system.
I assert that there are:
13
audit entries, not including this one.
The hash of the final message is:
042483bbf38e36f2ed48839c008e4a04920b289ca2c27d9509475c27068a49fdfe0680e34b548fa1359f37be27fdadb9
====
This message should be GPG signed with the Vote3 voting system GPG
key. If it is not signed, or the signature does not verify, then the
integrity of the voting system may have been compromised.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUH3sIAAoJEEL2Tq0PnDwi7I4IAIxI5EiVQ4Z3HcE2pi/Fl3SB
7If4UY8XGPJC/Lt2honuvRahxNMbTBKYwrASPdOrn0Tj8RECS7+6GlAKT+6xoIqP
4oUBMT4/gN9bp79wmlhB2b3Zc+v4ign1QJXwoxDn6DCQa/LTaDtaxu/ayXK85HVk
cuct8JuThrnktIKf8qnp/xvufAJ7NIx8oDcojtCORVrJi7Qq9jgdrtwDOpusKZXr
wakj4Z8Z9D/o8J//gKV8R1ZrgkorNeULASBR86E8/kUBkk7ndNnyW29kn6Q2KGMS
yD+bqGuXB6GQC6fXQN/SvdXyi1Wensu0f4B6bM1hIn1S0OGIYtFhnL465AhCOF4=
=BgCK
-----END PGP SIGNATURE-----