Re: code validation?

From: Arthur Keller <voting_at_kellers_dot_org>
Date: Tue Feb 22 2005 - 15:16:27 CST

How easy is it to "reverse engineer" a body of code to match a hash,
even one that's broken? Would listing the code length also help?

The CDs should have some suitable chain of custody.

One outstanding question is how we prevent the hash-code displaying
software from lying and giving the published answers even if the code
doesn't match.

Best regards,
Arthur

At 12:59 PM -0800 2/22/05, Edmund R. Kennedy wrote:
>Hello,
>
>In addition to what David says, my informed lay
>person's understanding of encryption tells me that the
>security issue here has to do with managing risk. In
>the end, is is a judgement call as to whether the risk
>is acceptable to most people.
>
>Thanks, Ed Kennedy
>
>--- David Mertz <voting-project@gnosis.cx> wrote:
>
>> On Feb 22, 2005, at 3:27 PM, Paul Kinzelman wrote:
>> > But I can take the code, insert my insidious
>> > fraudulent code, and update the hash code, then
>> release the
>> > CDROM with my fraudulent code to unsuspecting
>> precinct people,
>> > for instance, and the hash code will check.
>>
>> Well, in a word, 'No'.
>>
>> The hash code[*] isn't just distributed on a slip of
>> paper taped to the
>> CD. A given version of the OVC software will have a
>> known and
>> published hash. That hash would be published on
>> websites, newspapers,
>> etc., and any CD poll workers got that lacked that
>> published hash will
>> be deemed no-good.
>>
>> [*] I would have said SHA-1 three days ago, but now
>> that algorithm has
>> been broken by the same brilliant Chinese team who
>> broke MD5
>>
>> But actually, we've been through this quite a bit in
>> the archives.
>> We'll use Liam's StrongBox Linux (or something much
>> like it) which
>> includes a whole toolchain of all the "right* crypto
>> procedures.
>> Virtual disk images for different software sets
>> (voting station, audio,
>> tabulation, etc), bootable from CD, key layers for
>> public key
>> verification, and so on, StrongBox does all this
>> sort of stuff.
>>
>> _______________________________________________
>> OVC discuss mailing lists
>> Send requests to subscribe or unsubscribe to
>> arthur@openvotingconsortium.org
>>
>
>
>=====
>--
>10777 Bendigo Cove
>San Diego, CA 92126-2510
>
>Work for the common good.
>_______________________________________________
>OVC discuss mailing lists
>Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org

-- 
-------------------------------------------------------------------------------
Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Sun Feb 27 17:17:10 2005

This archive was generated by hypermail 2.1.8 : Sun Feb 27 2005 - 17:17:13 CST