Re: Crypto question: Hashing ultimate output for localuse

From: Ed Kennedy <ekennedyx_at_yahoo_dot_com>
Date: Sun May 01 2005 - 23:23:14 CDT

Hello David:

All very well and good. However, who would generate the Election Day
startup hash of the whole disk if it must be customized for every election
at every location? This introduces the need for another 'trusted' (read
NOT) person in the administrative process and therefore another weak point.
I think that you (all) are going to have to go with modules.

Also, I think we're going to need some administrative process whereby either
all the poll workers or at least the poll captain signs off that the hash
they see is the one that was in the news paper.

-- 
Thanks, Edmund R. Kennedy
Always work for the common good.
10777 Bendigo Cove
San Diego, CA 92126-2510
USA
I blog now and then at: <http://ekennedyx.blogspot.com/>
----- Original Message ----- 
From: "David Mertz" <voting-project@gnosis.cx>
To: "Open Voting Consortium discussion list" <ovc-discuss@listman.sonic.net>
Sent: Sunday, May 01, 2005 9:05 PM
Subject: Fwd: [OVC-discuss] Crypto question: Hashing ultimate output for 
localuse
>> 1. What is to keep some malefactor from generating a new hash signature 
>> after tampering with the program and posting it as the correct hash 
>> signature? At the very least, it could be confusing.
>
> The hash can be made very public, and via multiple channels.  For example, 
> publish the correct software hash in both of the competing local papers 
> (one that endorses Republicans, one that endorses Democrats) two weeks 
> before the election; and also put a copy of the identical hash on the 
> county registrars website.  And wherever else you want.  A tamperer would 
> have to tamper with all these channels.  Advance publication allows the 
> good guys plenty of time to make sure the published hash is the correct 
> one... yeah, I know, if it isn't, what do we do? It's a question, but not 
> an unanswerable one.
>
>> 2. I understand that the EVM will consists of at least two modules, a 
>> core and a front end with ballot design capabilities where election 
>> officials would enter the names of candidates and set the election 
>> parameters. If the entire program is meant to run from one CD how would 
>> the ultimate morning of election hash signature be checked?
>
> One technique is to hash the entire CD image.  Every major operating 
> system ships with an implementation of MD5 built in.  Plus there are a 
> number of Free Software implementations available.  So anyone, with any 
> operating system, can stick the "EVMix" CD in their computer, and run 
> something like 'md5sum /dev/cdrom'.  Then they hold their favorite 
> newspaper in one hand, and make sure the numbers published look like the 
> ones on screen.
>
> The point is, we don't want anyone to trust just the verification software 
> we provided (since we might have tampered with *that* too).  The 
> verification can be done with freely available and ubiquitous pre-existing 
> tools.
>
> The above, however, is not strictly the only possible sequence.  There are 
> also ways to hash more modular parts of the software toolchain.  And to 
> use a public key infrastructure.  And... But a master EVMix hash is clean, 
> easy to understand, and straightforward.
>
>
> _______________________________________________
> OVC discuss mailing lists
> Send requests to subscribe or unsubscribe to 
> arthur@openvotingconsortium.org 
_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Tue May 31 23:17:10 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:52 CDT