Re: Crypto question: Hashing ultimate output for local use

From: Ed Kennedy <ekennedyx_at_yahoo_dot_com>
Date: Mon May 02 2005 - 15:26:58 CDT

Hello David:

That's good and it's clear. However, what if the local vendor/customizer
decides to add some malware to one or both of the two new files? Again,
we're being asked to 'trust' this person. I realize that this begins to
strain credibility but if I can think of it, less reasonable folks that are
more inclined to hysteria can think of it as well. Also, this is still the
same weak point I've mentioned from the beginning of this discussion. I'm
not saying it couldn't be dealt with but let's lay out some procedure to
deal with this potential or at least quantify the risk.

-- 
Thanks, Edmund R. Kennedy
Always work for the common good.
10777 Bendigo Cove
San Diego, CA 92126-2510
USA
I blog now and then at: <http://ekennedyx.blogspot.com/>
----- Original Message ----- 
From: "David Mertz" <voting-project@gnosis.cx>
To: "Open Voting Consortium discussion list" <ovc-discuss@listman.sonic.net>
Sent: Sunday, May 01, 2005 10:57 PM
Subject: [OVC-discuss] Crypto question: Hashing ultimate output for local 
use
>> All very well and good.  However, who would generate the Election Day 
>> startup hash of the whole disk if it must be customized for every 
>> election at every location?  This introduces the need for another 
>> 'trusted' (read NOT) person in the administrative process and therefore 
>> another weak point.
>
> Nah, it's much simpler than you suggest.  And it's even more simpler than 
> Keith suggests with the whole PKI stuff (or at least it can be).
>
> Let's try a timeline approach:
>
> * January 1, 20??:  OVC publishes "EVMix-base-3.1.4.ISO" and its 
> hash=12345abcde for potential use in the forthcoming November elections. 
> The hash can go in newspapers or whatever, worldwide.  The ISO is 
> downloadable for openvoting.org, or by bit torrents, or whatever.
>
> * January 2: A million programmers download the ISO, and each one runs 
> 'sha EVMix-base-3.1.4.ISO'.  The million all see that the ISO matches the 
> hash 12345abcde. (well, I guess 51,393 of them had corrupted downloads, so 
> they try again :-)).
>
> * January 3: A bunch of certifying authorities, citizens groups, SoS's, 
> whatever, look over the contents of EVMix-base-3.1.4 for malicious code, 
> proper functionality, etc.
>
> * March 1: Everyone rejoins that EVMix-base-3.1.4 is excellent code with 
> no security holes.
>
> * June 1: All the local counties submit their ballot definitions to their 
> respective OVC-approved EVM vendors.  Since all the counties use the 
> IEEE-1622 standard for ballot definitions, these are all submitted as 
> files named ballot-definition-county-precinct-party.xml
>
> * June 2: Vendors add a couple such files to the ISO image previously 
> verified.  For example, the company "Open Voting of Franklin County" 
> (OVFC) creates an ISO that consists of:
>
>   EVMix-base-3.1.4.ISO +
>   ballot-definition-Franklin:MA-1234-DEM.xml +
>   ballot-definition-Franklin:MA-1234-REP.xml
>
> (it's easy to add a few files to an existing ISO).
>
> * June 3: OVFC sends the file EVMix-Franklin:MA.ISO to the County Clerk of 
> Franklin Co.  They also send a cover letter saying "The hash of this file 
> is 9876ffdd123."
>
> * June 4, The Franklin County Clerk publishes on its website the 
> following:
>
>   EVMix-Franklin:MA.ISO
>   ballot-definition-Franklin:MA-1234-DEM.xml
>   ballot-definition-Franklin:MA-1234-REP.xml
>   hash=9876ffdd123
>
> The hash, and maybe the XML files (which are human readable), are also 
> published in the _Greenfield Recorder_.
>
> * June 5: There are not a million programmer in Franklin County to care, 
> but there are a thousand.  These thousand people have already downloaded 
> EVMix-base-3.1.4.ISO back in January.  So today they download the XML 
> files.  They assemble the same revised ISO that OVFC did.  They run the 
> hash on their home-built composite ISO, and find it is 9876ffdd123.
>
> * November 2-8: Poll workers get their shiny CDs at polling places.  The 
> Republican poll watcher says: "I don't trust the authenticity of that CD," 
> and demands to run the hash on her Windows laptop (hash turns out to be 
> 9876ffdd123).  The Democratic poll watcher says: "I don't trust the 
> authenticity of that CD," and demands to run the hash on her MacOS machine 
> (hash turns out to be 9876ffdd123).  The Green poll watcher says: "I don't 
> trust the authenticity of that CD," and demands to run the hash on her 
> Linux machine (hash turns out to be 9876ffdd123).
>
> No one anywhere in the sequence trusts anyone else, nor should they, nor 
> do they need to.
>
>
> ---
> Dred Scott 1857; Santa Clara 1886; Plessy 1892;
> Korematsu 1944; Eldred 2003
>
> _______________________________________________
> OVC discuss mailing lists
> Send requests to subscribe or unsubscribe to 
> arthur@openvotingconsortium.org 
_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Tue May 31 23:17:12 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:52 CDT