KASPERSKY LAB CYBER SECURITY CASE STUDY - … LAB CYBER SECURITY CASE STUDY ... Introduction Voting...
Transcript of KASPERSKY LAB CYBER SECURITY CASE STUDY - … LAB CYBER SECURITY CASE STUDY ... Introduction Voting...
KASPERSKY LAB CYBER SECURITY
CASE STUDY
TEAM NAME: CYBER PANTHERS
DHANISH MEHTA
PRAVEEN KUMAR P.S.
SAMIR MAMMADOV
FLORIDA INSTITUTE OF TECHNOLOGY
MELBOURNE, FLORIDA
Contents Introduction .................................................................................................................................................. 3
The Blockchain .............................................................................................................................................. 3
Paradigm interoperability issues .............................................................................................................. 5
User Authentication ...................................................................................................................................... 6
Enrollment/User Registration ................................................................................................................... 6
Improvements for Authentication ............................................................................................................ 8
Security Features .......................................................................................................................................... 8
Voting Timeout ......................................................................................................................................... 8
Voter Token Generation ........................................................................................................................... 8
Built-In Virtual Private Network (VPN)...................................................................................................... 9
Voting Process ............................................................................................................................................... 9
User Experience ............................................................................................................................................ 9
Security Challenges ..................................................................................................................................... 10
Voter Authenticity ................................................................................................................................... 10
Voting under duress ................................................................................................................................ 11
Interim Results ........................................................................................................................................ 11
Voting Decision ....................................................................................................................................... 12
Voting Aftermath .................................................................................................................................... 12
Conclusion ................................................................................................................................................... 13
References: ................................................................................................................................................. 14
Introduction
Voting is one of the central tenets of governance and has constantly been evolving
throughout our history. Thanks to the latest innovations in cryptography and peer to peer
networking, Satoshi Nakamoto came up with one of the most groundbreaking technologies in
recent history - the block chain. With the power of blockchains, we can now envision a future
with convenience, easy scalability and better efficiency in electronic voting. With the digital
voting system there is a possibility of getting compromised by several vulnerable attacks and we
are proposing a solution to eliminate the possibility of this system getting compromised [1].
The Blockchain
The blockchain is a relatively new technology for storing a continuous ledger of records
that is tamper proof. It is a type of distributed database that stores information based on blocks
which are cryptographically connected to the last block thus forming a chain. This data is
distributed amongst the many nodes and miners in the network whose job is to verify the validity
and integrity of the chain by solving the hashes involved in the transactions [2].
As a worked, proven example we will describe the Bitcoin system and architecture.
Bitcoins are essentially a digital currency that is backed by the technology of cryptography and
the user base rather than a certain physical good (silver, gold standard) or the word of a
government [3]. The Bitcoin architecture mainly relies on two concepts: peer to peer (P2P)
networking and basic public/private key cryptography. Once a user establishes his account
(wallet) he is issued an address and a set of public/private keys. The user can then use this
address just like an email address. If someone has your Bitcoin address, they can send you the
currency provided they can prove that they have sufficient funds [2].
It is important to note that the Bitcoin is not a perfectly fungible good. This means that
every single Bitcoin is unique and is not exactly the same as every other Bitcoin. All Bitcoins are
equal in terms of value, but not all Bitcoins are the same. This is not a big deal when you are
dealing with just one blockchain, but becomes more of a concern when the concept of sidechains
is introduced.
A sidechain is an even newer innovation and it introduces interoperability between
blockchains and their different tokens. By setting up a two-way peg the user is able to transfer
tokens “between chains at a fixed or deterministic exchange rate” [4]. This means that you can
"pass" tokens from one blockchain to another without having to worry about creating a new type
of token on that sidechain.
Source: www.blockstream.com
This can come in handy in a case where a country has a law requiring a certain hierarchy
for counting and reporting votes. We propose using this concept of sidechains to represent this
hierarchical structure. Therefore, if the law states that votes need to flow from county to state to
the federal government we can create county many sidechains that would then pass on their
token to the state-level sidechain which is finally passed to the main federal-level blockchain. In
our case the sidechains would only need a one-way peg since the votes would never have to flow
back to the county-level chains.
Paradigm interoperability issues
The blockchain is an inherently decentralized system that gets its advantages of tamper-
proofness and reliability from the architecture of the system. No one machine is the master node
and no one machine has the official record. Instead the blockchain is mined by any number of
users on the network which each contribute to solving hashes for verifying every transaction. In a
sense, this directly counters the notion of a government and the economy as most governments
and the current economic system are inherently centralized.
The power and security of the blockchain comes from the fact that no single user has
complete control of the network, all transactions are publicly visible and verifiable and the
legitimate users, theoretically, do not have any incentives to attack the network due to the
economic disadvantages. Therefore, some users argue whether a private, centrally controlled
blockchain is still a proper blockchain since the controlling party would have 100% ownership of
the hash rate [5].
User Authentication
As the voting is digital, users will enroll and vote online at their premises using their own
devices. The complete voting procedure has to be made more secure as there could be several
possibilities of suspicious and fraudulent activities. Hence, we propose the blockchain
architecture with Public Key Infrastructure (PKI) along with the option of adding multi-factor
authentication to provide a secure digital voting experience.
In our proposed system, users are given the freedom to register their votes from any of
their devices such as: laptops, desktops, smartphones and tablets. The voting platform is an
application that the user has to download from the official voting provider website. It is the
responsibility of the government to ensure that this server is secure and verifiable.
Enrollment/User Registration
When a user is ready for enrollment, which would be earlier than the voting period, the
user chooses their preferred device and keeps a valid photo-ID (e.g. driver's license, state ID,
passport) ready. During enrollment, the photo-ID is scanned and submitted to the server through
the application. The smartphone application would make use of the built-in camera in the phone
to scan the documents or a desktop application could import the image. We propose a few ways
to validate the data:
1. The data in the ID can be checked against government databases and compared with the
information in the form to validate the user. The form needs additional information about
the user apart from what is available in the photo-ID so that a person could not just spoof
the identity of a user by stealing their photo-ID.
2. The application could be embedded with an option to provide biometric information such
as face, iris or fingerprints.
3. The application can issue a confirmation number, which the user would have to take to a
third-party location trusted by the government for verification.
If the validation process succeeds, the user will be provided with a UUID and it will allow
the user to create a password within the application. The user should provide their phone number
and their email as recovery options.
During user registration, a public key for the user is created at the server end. At the same
time, the user receives a private key that is valid for that particular device. Whenever the user
registers with a new device, a new private key is created on the user end and the public key is
updated on the server end. Users can have only one registered device at any given time to avoid
any race conditions. When the user registers a new device, the private key corresponding to the
old device will be automatically deregistered.
Source: www.fidoalliance.org
Improvements for Authentication
Based on regulations, we can make this more secure by adding FIDO (Fast Identity
Online) authentication where the user has to use their biometric features [6]. This eliminates the
usage of passwords and improves security by having the user scan their face during registration
and every login. The face recognition algorithm can be made stronger to resist any presentation
attacks. Even after registration, the users are validated for their authenticity to rule out imposters.
Another option is having U2F (Universal 2nd Factor Authentication) in place which
would require the need of a key-pair usage or a special token device which needs to be provided
during login [6]. However, such a solution is unlikely on a large scale due to the cost, unless
these devices can be mass produced affordably.
Security Features
Voting Timeout
Every user is created with a timeout by default when they login. This helps us ensure that
the user votes within a particular span of time and that the user is focused on selecting a
candidate. There will also be a “Get More Time” option available for people who are still
indecisive. The default timeout is based on the network strength and the type of device the user is
using to access the service. If it is a mobile device and if they are accessing from a weak
network, their timeout duration is kept higher and it is lower if the user is accessing from a
desktop with a high-speed connection.
Voter Token Generation
Right before the voting period, users are issued with a one-time use token. This token
would be the currency tied to their respective, jurisdictive blockchain. The user will be informed
when the token is available along with the identifier for the token, but the token will not be
visible in the application/webpage for security reasons.
Built-In Virtual Private Network (VPN)
A VPN can be built-in right into the voting application and will be switched on by default
and have no option to switch it off. This would guarantee an encrypted channel of
communication even if the user uses an unsecured network connection.
Voting Process
Provided all prior infrastructure and mechanisms are in place, every user is provided with
the ballot which they can access after they login to the application during the predetermined
voting period. During the login, it is made sure that the private-public key is in place and the
server checks the authenticity of the user. Once the ballot is open, the user has a set amount of
time to make his/her decisions. All options are set to undecided by default to prevent any
confusion. While the user is completing the ballot the timeout duration is clearly visible and s/he
can request for more time if they are indecisive or, for some reason, distracted. If the user is not
able to complete the ballot within the timeout duration and if the user does not request for any
timeout extension, the ballot will be discarded and the user's vote will not be recorded in the
server. The user's vote token will still be valid.
User Experience
Voters will have to enroll with the voting service by downloading the application for their
device. Connections to the server will be automatically tunneled through a VPN. The user will
have to fill out identifying information to build a profile and also submit a government approved
photo ID. After the user has been validated, the user will be informed of the generated UUID and
will be asked to create a password through the application. The user will be informed if they are
eligible to vote or if more information is required to validate them.
During the voting period, the users login to the application, download the ballot and
select their choices. They will have to be mindful about the timer that runs before triggering a
timeout. The user can extend the timeout by clicking on "Extend Timer", if they need extra time
to make their decision. However, once the timeout has expired, the vote will not be submitted
and the user will have to login once again. Once the user has selected his desired candidates,
he/she can submit the vote. Once the vote has been successfully received, a receipt will be issued
to the user which can be used for cross validation later. The user could signal duress by
providing an invalid password while logging in, the vote would still be issued and the user would
be provided with a submission receipt. Whenever a user submits a vote in duress, the user won’t
be able to submit another vote for a set amount of time for voter safety.
Security Challenges
Voter Authenticity
During vote submission, the application asks the user to enter their password twice to
prevent typographical errors. If the credentials entered are valid, the vote token is used when the
user submits the vote. The message along with the token is encrypted with the server’s
(government’s) public key and the user's private key and is passed on to the respective
blockchain.
Voting under duress
If the user is under duress and would like to send a fake vote at that point in time, the user
enters a random password which is the same at both the password fields and clicks on “Login”
[7]. The user would still vote normally and after submitting the vote, the user would get a vote
submission success screen. This would mean that the user has sent a vote under a duress
condition and the vote will not be taken into count. Voting under duress does not invalidate your
token as the user might be able to get away and safely issue his/her real vote later during the
voting period. There will also be a delay before the user can issue a vote ranging from a few
hours to a day depending on the voting period. So, if the person threatening asks the user to
login again, the application would not allow the user to vote immediately. The vote registered
during duress would be considered as a duress vote and would be ignored during the counting of
the votes.
However, if the user would like to register a valid vote after entering a safe zone, the user
can login to the application and download the voting form again. During submission, the user
enters the valid password on both the fields and submits the form. It being a valid entry and as
the user is registering his genuine vote for the first time, the system encrypts the vote and sends it
to the blockchain and issues a receipt for the vote submitted. Irrespective of the number of votes
registered by the user and the success receipts, only the very first vote with valid credentials is
taken into consideration.
Interim Results
Thanks to encryption, interim results will not be visible to anyone until the end of the
voting process (provided such a legal requirement is in place). The only publicly visible
information is the number of transactions represented as blocks on the chain.
Voting Decision
There will be some voters who would not have adequate exposure to the candidates
standing in elections, but would still like to exercise their right to vote. We propose to provide
the option of "None of the Above" which would be selected by default. The voter can choose to
pick any other option that he/she prefers instead of "None of the Above". Once the vote is
submitted, the voter will not have an option to edit his/her vote if they change their mind.
Voting Aftermath
Cryptography and the blockchain are the only mechanisms necessary to ensure that any
concerns about the legitimacy of the voting procedures have not been tampered with. Based on
the total number of tokens issued and exhausted, the user can see how many votes were cast in
total and in each separate jurisdiction at the end of the election period.
The only “legitimacy” issue we can foresee happening is if the government mining
entities decided to carry out a 51% attack to block certain transactions or “double-spend” some
tokens. A 51% attack is when a single user or group of users have the majority of the hashing
power on the whole blockchain. This means they can choose to publicly control which
transactions go through since they will always be able to outperform any other legitimate users.
However, as mentioned before, a government would automatically control 100% of the hashing
power on the blockchain due to its inherent centralization. At the same time such an attack would
be extremely obvious and thus automatically discredit the whole blockchain defeating the
purpose of using this technology in the first place; neither the government, candidates or the
voters would benefit from such a situation [8].
A voter will be able to check if his/her vote exists in the blockchain by requesting the
application to download the block pertaining to the voter. After the voting period is over, the
government can make their private keys public allowing auditors and voters to verify the count
as well as see if their vote was counted by replicating the hash. On the government side, seeing
how many people voted can be as simple as checking how many tokens were exhausted and
comparing that with the total number of tokens issued for each jurisdiction.
Conclusion
We have proposed our idea on how a digital voting system could be designed which
could withstand the most common attack vectors and voting issues. Understanding the
importance of selecting a ruling candidate of a country, digital voting should provide
convenience to voters but also eliminate the possible attacks resulting in fraudulent votes being
registered.
References:
[1] S. Delaune, S. Kremer, and M. Ryan, “Coercion-resistance and receipt-freeness in electronic voting,” 19th IEEE Computer Security Foundations Workshop (CSFW’06). p. 12 pp.-pp.42, 2006.
[2] M. Swan, Blockchain: Blueprint for a new economy. “ O’Reilly Media, Inc.,” 2015.
[3] S. Omohundro, “Cryptocurrencies, smart contracts, and artificial intelligence,” AI matters, vol. 1, no. 2, pp. 19–21, 2014.
[4] “Blockstream,‘How sidechains work?,’” 2016. [Online]. Available: https://blockstream.com.
[5] N. Hampton, “Understanding the blockchain hype: Why much of it is nothing more than snake oil and spin,” Computerworld, 2016. [Online]. Available: http://www.computerworld.com.au/article/606253/understanding-blockchain-hype-why-much-it-nothing-more-than-snake-oil-spin/.
[6] D. Balfanz, “FIDO U2F Implementation Considerations,” 2013.
[7] J. Clark and U. Hengartner, “Panic Passwords: Authenticating under Duress.,” HotSec, vol. 8, p. 8, 2008.
[8] Learncryptography, “51% Attack,” 2016. [Online]. Available: https://learncryptography.com/cryptocurrency/51-attack.