AES Technical Briefing
-
Upload
blogwatchph -
Category
Documents
-
view
224 -
download
0
Transcript of AES Technical Briefing
-
8/14/2019 AES Technical Briefing
1/53
Automated Election SystemDoes automation = clean elections?
Possible Problems: Preliminary Results
Technical BriefingAES2010 Policy Study Team
Deans Office, College of Law, University of the Philippines,
and
Center for People Empowerment in Governance (CenPEG)
-
8/14/2019 AES Technical Briefing
2/53
INTRO
-
8/14/2019 AES Technical Briefing
3/53
The AES 2010 Policy Study Team
One year project under the Deans Office
UP College of Law aimed to: Determine whether technologies for the 2010
elections are tamper-free, will be used feasibly
and without any manipulation, and will ensuretransparent, clean and fair elections;
Determine the capabilities, resources, and
preparations of the Comelec and other relatedagencies as they play their pivotal roles in theautomated national elections of 2010.
-
8/14/2019 AES Technical Briefing
4/53
Technical study team
Election management study team
Legal study team
Research teams
-
8/14/2019 AES Technical Briefing
5/53
What is AES?
A system using appropriate
technology which has beendemonstrated in the voting, counting,
consolidating, canvassing, and
transmission of election result, andother electoral process
-
8/14/2019 AES Technical Briefing
6/53
Public perception of the AES
It would lead to clean elections
Cheating would be impossible in anautomated election
-
8/14/2019 AES Technical Briefing
7/53
AES System
Election Management System (EMS)
Election MarkUp Language (EML)
PrecinctCount Optical Scan (PCOS)
System Precinct Machine
Consolidation / Canvassing System(CCS)
BOC Computer
-
8/14/2019 AES Technical Briefing
8/53
SMARTMATIC AUTOMATEDELECTION SYSTEM (SAES 1800)
PCOS Machine
-
8/14/2019 AES Technical Briefing
9/53
SAES 1800Precinct Count
Optical Scan /
Optical MarkReader (OMR)
Detects theabsence orpresence of amark in
predefinedpositions on aform
-
8/14/2019 AES Technical Briefing
10/53
SAES 1800 Components
Thermal Printer
2-1/4 inch roll paperRated to last 5 years
Input / Output PortsCF Card ReaderUTP Ethernet PortDisabled USBRJ 11 Modem Port
Digital Scanner4-bit mono color scanner16 shades ofgray
Display
Touch screen, mono-color displayQuarter VGA in size, 320x240 pixels
Ballot Box
Cast and ReturnButtons Disabled
RF Key
ProcessorAnd MemoryNot Specified
Compact Flash (CF)
Card
-
8/14/2019 AES Technical Briefing
11/53
Ballot Boxes withTransparent Panels
Compartmentsin the Ballot Box
Transparent Panels Invalid Ballots Valid Ballots
-
8/14/2019 AES Technical Briefing
12/53
Software Specifications:
Operating System Embedded uClinux
Possibly with uClibC
Possibly with GNU core utilities
Copyrighted under the General PublicLicense (GPL) open source licensing
scheme
-
8/14/2019 AES Technical Briefing
13/53
Voting Flow using PCOS - OMRBEI inserts physical key intoPCOS machine to power it
BEI inserts CF card into PCOSmachine to configure it
BEIs type passwords toinitialize the machine zero
votes
Voter fills up and feedsballot into the machine
BEIs close poll and print ER
BEI attaches externalmodem to access internet
connection
BEIs digitally signs electronicER which gets transmitted to
municipal, provincial andnational servers
Canvassing
2
3
4 5
E
-
8/14/2019 AES Technical Briefing
14/53
Configuring the Machine
CF CardSmartmatic
Inserting the Card
B
-
8/14/2019 AES Technical Briefing
15/53
Initialization
Initialization Initialization Report
B
-
8/14/2019 AES Technical Briefing
16/53
Voting
Sample Ballot
Feeding the Ballot
into the Machine
B
-
8/14/2019 AES Technical Briefing
17/53
Voting
ER (With Results)
B
-
8/14/2019 AES Technical Briefing
18/53
Election Return
and Transmission of VotesER Certification External Modem
B
-
8/14/2019 AES Technical Briefing
19/53
CANVASSING LEVELS
Data Flows
-
8/14/2019 AES Technical Briefing
20/53
Consolidation Canvassing
System (CCS) Real-TimeElectoral Information System
(REIS) Operating System: GNU/Linux
Software possibly written in web server
side programming language (e.g.
JAVA)
-
8/14/2019 AES Technical Briefing
21/53
Cities/Municipal Input: ERs from precincts
Provincial/Congressional Input: Statement of Votes and Certificate of
Canvass from Cities/Municipalities
National Congress: President and Vice President contests
Comelec: Senators and Party List contests Input: Statement of Votes
-
8/14/2019 AES Technical Briefing
22/53
PCOS Machine (counting)
SAES 1800
CCS Server (canvassing) -
REIS
-
8/14/2019 AES Technical Briefing
23/53
30 VULNERABILITIES
Pre-election * Election * Canvassing * Proclamation
-
8/14/2019 AES Technical Briefing
24/53
6 Vulnerabilities On Voting Day
Hardware Failure: Start up orboot failure
Pre-marked legitimate
ballots might be fed Legitimate ballots
rejected Reading/scanning
ballots from anotherprecinct
Hardware/software
failure No backup units Voter cannot verify if
ballot is read/scannedcorrectly
Failure to accept password
Wrong CF card inserted
Failure of initialization
function Machine has stored ballot
images already Wrong program installed Paper jam
Failure of function to close polls(premarked ballots can still beinserted)
Misreading of ballots Mis-crediting of marks Erroneous counting Printer fails
Signing/encryption/transmission failure
Failure to accept password Connectivity failure
BEI inserts physical key intoPCOS machine to power it
BEI inserts CF card into PCOSmachine to configure it
BEIs type passwords toinitialize the machine zerovotes
Voter fills up and feeds ballotinto the machine BEIs close poll and print ER
BEI attaches external modem
to access internetconnection
BEIs digitally signs electronicER for transmission
Canvassing
-
8/14/2019 AES Technical Briefing
25/53
5 MAJOR TECH ISSUES
Software and Data Integrity
-
8/14/2019 AES Technical Briefing
26/53
Highlights of Technical
Concerns Verifiability of Voters Choice
Machine Interpretation of Ballot Program Correctness
Review of Source Code
Program Integrity Verification
Protection of Transmitted Data
Digital Signatures System Administration
Root Users / System Administrators
-
8/14/2019 AES Technical Briefing
27/53
Voters Choice Verifiability
Provide the voter a system of verification to find outwhether or not the machine has registered his choice.
[Article 7 (n) of RA 9369]
-
8/14/2019 AES Technical Briefing
28/53
Voters Choice Verifiability
No sufficient mechanism for voters choiceverifiability.
Safeguard Comelec has to enable the feature of the SAES-
1800 that will show how the PCOS machineinterpreted the ballot.
-
8/14/2019 AES Technical Briefing
29/53
Program Correctness
RA 9369 requires Comelec to subject the
source code to review by all interested
parties.
-
8/14/2019 AES Technical Briefing
30/53
Source Code
Human readable version of the computer
programs running on the PCOS and BOCcomputers.
Will reveal whether the counting and
canvassing are done properly To prove that the PCOS and CCS programs
follow RA 9369 and COMELEC ToR
-
8/14/2019 AES Technical Briefing
31/53
An illustration of Java source code with prologue comments indicatedin red, inline comments indicated in green, and program code
indicated in blue.
-
8/14/2019 AES Technical Briefing
32/53
Reviewed andapproved
source code
Machine
executableformat
Burned intoeach PCOSmachine /
Install in CSS
Safeguard
-
8/14/2019 AES Technical Briefing
33/53
Program Integrity Verifier
How can we know that the approved
source code is installed?
-
8/14/2019 AES Technical Briefing
34/53
Program Integrity Verification
The hash (one line of numerical value)
verifies that the approved program isinstalled in each PCOS machine / CCS
The hash (integrity verifier) of theapproved programs should be printed.
-
8/14/2019 AES Technical Briefing
35/53
S f d
-
8/14/2019 AES Technical Briefing
36/53
Safeguard
Comelec should subject the approvedprogram to a hash verifier function
Provide the BEIs, political parties and
poll watchers the hash value On election day, the hash value of the
program installed in each PCOSmachine should be printed during theinitialization stage
If the values are different from the hashvalue of the approved program, thewrong program was installed in themachine
-
8/14/2019 AES Technical Briefing
37/53
Protection of Transmitted Data
Immutability of Precinct Data
-
8/14/2019 AES Technical Briefing
38/53
RA 9369
Section 22 Electronic Returns: "The
(precinct) election returns (ER)transmitted electronically and digitallysigned shall be considered as official
election results and shall be used asthe basis for the canvassing of votes
and the proclamation of acandidate."
-
8/14/2019 AES Technical Briefing
39/53
Comelec Implementation
Guide: ToR/RfP AES2010
4. Counting, Consolidation and Generationof ER
4.3 The BEI shall physically sign and affix their
thumbprints on all copies and on all pages
of the ER4.5 The BEI shall digitally sign and encrypt the
internal copy of the ER
-
8/14/2019 AES Technical Briefing
40/53
Digital Signature / Secret Key
A summary (hash value) of the ER encrypted
using the BEIs secret key. The digital signature serves two purposes:
Identifies the BEI personnel who signed the
precinct ER It ensures that the precinct ER is not modified in
any way by dagdag-bawas
-
8/14/2019 AES Technical Briefing
41/53
-
8/14/2019 AES Technical Briefing
42/53
What Happens If Another
-
8/14/2019 AES Technical Briefing
43/53
What Happens If AnotherPerson Knows the Teacher's
Secret Key?
The other person, with malicious intent, can remove
the BEI's signature, change the contents of the ER,
and sign the modified ER (again) with the BEI's
secret key.
Only the person who has possession of the BEI's
secret key can re-sign the ER.
Any person who has possession of a majority of the
BEI's secret keys can control the results of election
2010
-
8/14/2019 AES Technical Briefing
44/53
Comelec's Error
Bid Bulletin No. 10 (20090415):
The digital signature shall be assigned by the winningbidder to all members of the BEI and the BOC (whethercity, municipal, provincial, district). For the NBOCs, the
digital signatures shall be assigned to all members ofthe Commission and to the Senate President and theHouse Speaker. The digital signature shall be issuedby a certificate authority nominated by the winning
bidder and approved by the Comelec.
S C C
-
8/14/2019 AES Technical Briefing
45/53
SMARTMATIC WILL CREATE THE
PRIVATE-PUBLIC KEY PAIRS In Smartmatic's financial proposal, Item 1.2.1.4
consists of 246,600 sets of 2048-bit
private public key pairs for BEIs (3 per PCOS)at the cost of PHP0.00. The BEIs will be
anonymous (will not be known by name) so
that any teacher can sign in any BEI position.
This can only mean that Smartmatic itself will
generate the key pairs, and so Smartmatic willhave all the private keys.
-
8/14/2019 AES Technical Briefing
46/53
Safeguards
Comelec should ensure that the secret key of theteacher is known only by the teacher
The ER and digital signature (encrypted hash value)should never be separated during transmission andstorage in the Comelec databases.
-
8/14/2019 AES Technical Briefing
47/53
System Administration
He Who Controls Technology,
Controls the Votes
-
8/14/2019 AES Technical Briefing
48/53
System Administration
The root user/system administrator or super
user A human who can issue any command available
on the computer, normally to do systemmaintenance or to recover from failure.
The root user can edit the precinct ERs if he
has access to secret keys and change the
election results.
-
8/14/2019 AES Technical Briefing
49/53
Safeguards
Comelec should have enough precautions
so that aroot user is not needed tomanually interfere with the electionprograms
In case of a breakdown, the root usersactivities are all properly logged in publicly-
displayed audit and log files in real time to
be scrutinized by poll watchers.
The root usermust not be allowed to log-in
from remote / different location
Wh t ill h if i
-
8/14/2019 AES Technical Briefing
50/53
What will happen if issues are
not addressed? Unless these issues are addressed
satisfactorily by Comelec, Smartmatic,the Comelec Advisory Council (CAC),the Comelec Technical Evaluation
Committee (TEC), and the JointCongressional Oversight Committee,
the computerized elections in 2010can lead to computerized cheating or
failure of elections.
-
8/14/2019 AES Technical Briefing
51/53
HOW YOU CAN HELP
-
8/14/2019 AES Technical Briefing
52/53
Area Tasks
Source Code Review System Administration, Keys and
Cryptography, Data Communicationsand Processing, Event Handling
IT Research Related Literature and Technology
Geographical Info
System
ResearchEncode
Website Development Content management
Media and Publicity Multimedia content production and
design
Administrative Transcription
-
8/14/2019 AES Technical Briefing
53/53
Contact Information
Project Office
AES Policy Research Office, 3rd Flr. (UP Law Library), UP
College of Law (Malcolm Hall)
Contact No: 029299526 / 09064924266
Email: [email protected]
AES Website: http://www.aes2010.net
CenPEG: http://www.cenpeg.org