Log Analysis of Estonian Internet Voting 2013 2015kodu.ut.ee/~arnis/slides_logmon.pdf ·...
Transcript of Log Analysis of Estonian Internet Voting 2013 2015kodu.ut.ee/~arnis/slides_logmon.pdf ·...
Log Analysis of Estonian Internet Voting2013�2015
Sven Heiberg1 Arnis Parsovs23 Jan Willemson24
1Smartmatic-Cybernetica Centre of Excellence for Internet Voting
2Software Technology and Applications Competence Centre
3University of Tartu, Institute of Computer Science
4Cybernetica
November 5, 2015
1
Research objective
Analyse information available to NEC in order to:
I Detect attacks against i-voting
I Detect system malfunction
I Study voter behaviour
Data sources:
I Log �les produced by i-voting servers
I Support requests handled by NEC
I Public information
2
Estonia has i-voted since 2005
2005Local
2007Parl.
2009EP
2009Local
2011Parl.
2013Local
2014EP
2015Parl.
0
10
20
30ShareofInternet
voters
% of voters
% of veri�ed votes
Objects of this study:
I Municipal Elections 2013 (KOV2013)
I European Parliament Elections 2014 (EP2014)
I Riigikogu Elections 2015 (RK2015)
3
Voting protocol in 2015
1. Authentication
2. Candidate list L3. Sigv (Encspub(cv , r))
4. Vote reference vr
5.r , vr 6.
vr
7.Enc s p
ub(c v, r),L
(8.cv )
There are three sub-protocols:
I Voting with smart card-based eID
I Voting with Mobile-ID
I Vote veri�cation with the mobile device
4
Logs generated on candidate list retrievalIVCA VFS Log Monitor VSS
TLS client authgenerate sid()
sidmsgip, sid, IP
msgua, sid, UserAgent
msgauth, sid, PC, Certauthmsgbegin, sid
get candidate list()
C, Districtmsgname, sid, Name
msgdist, sid, District
check revoting vfs()
msgsend.req.rev, sid
sid, PC
msgreq.rev, sid
check revoting vss()
Rmsgresp.rev, sid
R
Rmsgrevoted, sid, R
msgresp, sid
C, sid, R
Log analysis is not a trivial task
I Logs in KOV2013 � more than 4'000'000 loglines, 700MB5
Log monitor
I Centralized logserver using rsyslog
I Log-processor
I Parse entry, extract information, �ll database
I Analysis front-end
I Provide descriptive statistics and pattern analysis
I Pseudonymization of logs for later research
6
Database model
certificates
session idauth serialsign serialauth hashsign hashauth eidsign eid
sessions
session idpersonal codephoneipostimestamp candstatus candtimestamp votestatus votevote hashvote id
ips
session idipgeoip
persons
personal codegivennamesurnamedistrict
verifications
verification idvote idtimestampipgeoiposstatus
incidents
session idtimestamplogline
incident response
session idresponseusertimestamp
1 11
1..*
1..*1
0..*
1
1 0..1
0..*
1
7
What should we look for in the data?
Normality pro�le:
I Describe in detail �normal� i-voting:I The voting session creates only expected log entries
I The voting session ends with a successfully cast vote
I The veri�cation session ends with a successfully veri�ed vote
I The voting session is completed in a few minutes
I Not too many voters share the same voting IP address
I Not too many veri�ers share the same verifying IP
I The overall percentage of revoters is small
I The vote is veri�ed from a single IP address
I etc.
I In total 24 features
I Anomaly pattern � inverse of normality
8
Session breakdown
KOV2013 EP2014 RK2015
Session kind Sessions Voters Sessions Voters Sessions Voters
All sessions 176,144 � 120,503 � 211,215 �
Voting 170,801 138,532 114,792 104,679 201,811 179,262
Successful 80.1% 133,808 91.6% 103,151 89.7% 176,491
ID card 91.4% 122,471 89.0% 91,964 87.8% 155,267
Mobile-ID 8.6% 11,395 11.0% 11,226 12.2% 21,307
Unsuccessful 19.9% 19,705 8.4% 6,050 10.3% 15,007
ID card 76.9% 16,201 64.9% 4,157 69.1% 11,226
Mobile-ID 23.1% 3,658 35.1% 1,940 30.9% 3,864
Veri�cation 5,343 4,542 5,711 4,250 9,404 7,563
Successful 94.0% 4,521 85.7% 4,210 89.7% 7,522
Unsuccessful 6.0% 84 14.3% 131 10.3% 120
9
Unsuccessful voting sessions
KOV2013
voters
EP2014
voters
RK2015
voters
KOV2013
sessions
EP2014
sessions
RK2015
sessions
102030405060708090100
Unsuccessful %
Successful %
10
Unsuccessful voting sessions � explicit errors
Reason for failure KOV2013 EP2014 RK2015
Explicit error 8,979 4,032 5,513
Common error 1,103 369 1,509
Maintenance 11 0 1
Under-aged voter 28 16 30
Ineligible voter 1,063 315 507
Voting ended 1 38 89
Session expired � � 882
Certi�cate issue 1,978 302 641
Pre-2011 Mobile-ID user 1,490 549 366
Bad Mobile-ID number 2,051 491 974
DigiDocService failure 47 0 0
Mobile-ID failures 2,217 1,148 1,956
Incident 93 1,173 67
11
Unexpected log entries � incidentsI KOV2013
I 37 failed ID card sessions � buggy OpenSCI 36 failed voting sessions � problematic backup routineI 17 malformed votes � lack of error checking in voting clientI 3 invalid cell numbers � lack of input validation in voting client
I EP2014I 1131 failed voting sessions � timezone bug in cert veri�cationI 42 incidents with buggy OpenSC or failed M-IDI 196 malformed vote veri�cation requests � iOS veri�cation
applicationI 5 ID card sessions with card switchingI 6 sessions with incorrect session state change
I RK2015I 1 failed session � inaccessible voter listI 2 ID card sessions with card switchingI 4 ID card sessions vote signature invalidI 1 ID card session with invalid certi�cate signatureI 59 Mobile-ID sessions using outdated voting clientI 615 veri�cation sessions using outdated veri�cation applicationI 19 sessions with incorrect session state change 12
Other reasons for failure
KOV2013 EP2014 RK2015
Reason for failure Sessions Voters Sessions Voters Sessions Voters
Other reason 24,969 16,087 5,593 4,340 15,214 12,072
Discontinued (Mobile-ID) 826 595 672 477 1,454 1,039
Authentication 636 470 461 332 1,008 731
Signing 190 178 211 196 446 415
Abnormal 40 34 0 0 0 0
Vote not submitted 24,103 15,563 4,921 3,889 13,760 11,103
ID card 23,004 14,630 4,524 3,521 12,283 9,779
Mobile-ID 1,099 954 397 371 1,477 1,353
13
Unsuccessful voting sessions � failure to cast a vote
I Abandoned voting sessions � candidate list is successfully
downloaded, but the vote is never cast
I Forgotten PIN to access the signing key
I Bugs in voting client (KOV2013)
I Probably not disenfranchisement attack � would be noticed by
veri�cation
KOV2013 EP2014 RK2015
Sessions Voters Voters (u) Sessions Voters Voters (u) Sessions Voters Voters (u)
24,103 15,563 2,889 4,921 3,889 869 13,760 11,103 1,947
14
Veri�cation errors
KOV2013 EP2014 RK2015
Reason for failure Sessions Veri�ers Sessions Veri�ers Sessions Veri�ers
Unsuccessful sessions 319 84 787 106 965 218
Newer vote cast 19 6 11 6 17 6
Veri�cation count exceeded 144 47 317 81 154 63
Veri�cation time exceeded 95 54 78 39 121 63
Vote ID not issued 60 � 185 � 58 �
Abnormal state 1 1 � � � �
Malformed vote ID � � 196 � � �
Invalid veri�cation request � � � � 615 104
15
Support requests
Topic KOV2013 EP2014 RK2015
QR code focussing problems 8 8 0
State-revoked ID cards (issued in 2011) 5 1 0
Android VVA crash 3 1 0
Outdated ID-software, drivers 9 6 8
IVCA Internet connectivity issues 109 24 0
Unsupported voting platforms 3 0 101
Pre-2011 Mobile-ID user 6 2 2
PIN code issues 3 9 0
ID-software not installed 13 0 0
IVCA errors 0xX 13 0 0
MacOS X without ID-software 0 41 0
Website related 0 14 12
Certi�cates not yet valid bug 0 10 0
iOS-based VVA 0-byte bug 0 4 0
ID-card certi�cates expired 0 0 2
General election questions 0 0 22
Built-in card readers, drivers 0 0 75
Other 85 49 109 16
IP address shared by several voters
On average one IP shared by:
I KOV2013: 1.95 voters
I EP2014: 1.97 voters
I RK2015: 2.11 voters
IP addresses shared by more than 100 voters:
I KOV2013: 28 IPs (top IP shared by 1,127 voters)
I EP2014: 22 IPs (top IP shared by 970 voters)
I RK2015: 28 IPs (top IP shared by 1,415 voters)
17
IP address shared by several voters
I Activity not evenly distributed over the voting period
I short interval (<5 minutes)
I the same OS
I no overlapping sessions
I IP activity in 24 hours
Group size KOV2013 EP2014 RK2015
2 8,476 6,033 10,795
3 697 523 1,045
4 108 60 150
5 15 9 15
6 3 1 1
7 0 0 1
I RK2015 7 voter group: Colombian IP, ID cards, 20 minutes
I This is a technical upper-bound to group-voting
18
IP address shared by several veri�ers
On average one IP shared by:
I KOV2013: 1.35 veri�ers
I EP2014: 1.31 veri�ers
I RK2015: 1.4 veri�ers
Top IPs shared by:
I KOV2013: 10 veri�ers
I EP2014: 13 veri�ers
I RK2015: 11 veri�ers
Voting and veri�cation IP the same:
I KOV2013: 53.28%
I EP2014: 56.82%
I RK2015: 60.17%
19
Large percentage of revoters
Voters casting more than one vote:
I KOV2013: 1.93% (2,586 voters)
I EP2014: 1.69% (1,743 voters)
I RK2015: 2.29% (4,034 voters)
KOV2013 EP2014 RK2015
32 41 60
27 39 37
10 36 29
10 28 19
9 20 12
8 17 11
8 11 10
7 9 10
6 7 8
6 7 8
Top 10 revoters
20
Large percentage of revoters
Time between revoting (h)
Fre
quen
cy
050
010
00
0 24 48 72 96 120 144 168
RK2015
I 30% revote in the �rst ten minutes
I 40% revote in the �rst hour
I 20% revote from a di�erent IP
I Voters with parallel voting sessions:
I KOV2013: 60 voters
I EP2014: 28 voters
I RK2015: 99 voters
21
Large percentage of revoters
0
30
60
90
120
Oct 11 Oct 12 Oct 13 Oct 14 Oct 15 Oct 16 Oct 17Time
Act
ivity
First revotes cast by revotersFirst votes cast by voters (scaled by 0.25)
KOV2013
0
25
50
75
May 16 May 17 May 18 May 19 May 20 May 21 May 22Time
Act
ivity
First revotes cast by revotersFirst votes cast by voters (scaled by 0.25)
EP2014
0
50
100
150
Feb 20 Feb 21 Feb 22 Feb 23 Feb 24 Feb 25 Feb 26Time
Act
ivity
First revotes cast by revotersFirst votes cast by voters (scaled by 0.25)
RK2015
22
Voting sessions too slow
Voting session length (s)
Fre
quen
cy
050
0015
000
0 120 300 480 660 840 1020 1200
RK2015
More than 50% sessions shorter than two minutes
More than 90% sessions shorter than six minutes
The longest voting sessions:
I KOV2013: 4.72 days
I EP2014: 5.6 days
I RK2015: 5.5 days (unsuccessful)
23
Vote veri�ed from di�erent IP addresses
Votes veri�ed from more than one IP address:
I KOV2013: 19
I 2 IPs (18)
I 3 IPs (1)
I EP2014: 23
I 2 IPs (23)
I RK2015: 49
I 2 IPs (44)
I 3 IPs (2)
I 4 IPs (1)
I 7 IPs (1)
I 8 IPs (1)
Veri�cations over several days from di�erent OSs
⇒ QR codes published somewhere!
24
Vote veri�ed from di�erent IP addresses � RK2015 4 IPs
https://www.youtube.com/watch?v=yZ4s95lFkk4#t=107
25
Vote veri�ed from di�erent IP addresses � RK2015 8 IPs
https://twitter.com/LauriBambus/status/568355079318835200/photo/1 26
First voting session seen as revoting
Security feature. No cases have been registered by the NEC.
27
Non-i-voter denied paper vote
On election Sunday I-voter will be denied paper vote.
Security feature. No cases have been registered by the NEC.28
General statistics � voter activity by age
0
5
10
15
20
20 30 40 50 60 70 80 90 100Age
Turn
out (
%)
KOV2013
0
5
10
15
20 30 40 50 60 70 80 90 100Age
Turn
out (
%)
EP2014
0
10
20
20 30 40 50 60 70 80 90 100Age
Turn
out (
%)
RK2015
29
General statistics � gender distribution of voting
KOV2013 EP2014 RK2015
10
20
30
40
50
60
70
80
90
100
%ofvoters
Female
Male
30
General statistics � voter activity by gender (out of eligible)
●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●
●●●●●●
●●●●●
●●
●●
●●●●
●
●
●
●●
●
● ●
20 40 60 80 100
020
6010
0
Age
Fem
ale
vote
r ac
tivity
(%
)
In KOV2013 I-voted:
I M: 12.94%
I F: 11.78%
●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●
●●●●●
●●●●●
●
●●●●
●●
●
●
●
●●●
●
● ●
20 40 60 80 100
020
6010
0
Age
Fem
ale
vote
r ac
tivity
(%
)
In EP2014 I-voted:
I M: 11.55%
I F: 9.84%
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●
●●●●
●●●●●●
●●●●
●●
●
●
●●
20 40 60 80 100
020
6010
0
Age
Fem
ale
vote
r ac
tivity
(%
)
In RK2015 I-voted:
I M: 19.54%
I F: 17.40%
31
General statistics � age vs voting time
●
● ●
● ●
●●
●● ● ●
●
●●
●
●
●
● ●●
●●
●
●●
●●
●● ●
●● ●
●● ●
●
●
●●
● ●●
●● ● ●
● ● ●●
●
●
● ● ●●
●●
●●
● ●
●●
●
●
●
● ●
●●
●
●
●
●
●
● ●
●
●
●
●
●
50
100
150
200
250
25 50 75 100Age
Vot
ing
time
(s)
KOV2013
●●
● ● ● ●●
●●
●●
●● ● ● ●
●●
●●
● ● ● ●● ● ● ●
● ● ● ●●
●
●
●● ● ●
● ● ● ●● ● ●
● ●●
●
●
●
● ● ● ●●
●●
●
●
●
●
●
●●
● ● ●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
50
100
150
25 50 75 100Age
Vot
ing
time
(s)
EP2014
●
●
●●
●
●
●
●● ●
●● ●
●
●
●●
● ● ●
●●
● ●
●● ●
●
●●
●●
●
● ● ● ● ● ●
● ● ● ●
●● ●
● ● ● ●●
●
● ● ●
●
●
●
●●
●
●
● ●
●
● ●
●
●
● ●
●
●
●
●
●
●
●
●
●
●
● ●
●
●
●
50
100
150
200
25 50 75 100Age
Vot
ing
time
(s)
RK2015
32
General statistics � veri�er activity by age
0.0
2.5
5.0
7.5
20 30 40 50 60 70 80 90 100Age
Ver
ifier
s (%
)
KOV2013
0
2
4
6
20 30 40 50 60 70 80 90Age
Ver
ifier
s (%
)
EP2014
0
2
4
6
20 30 40 50 60 70 80 90Age
Ver
ifier
s (%
)
RK2015
33
General statistics � gender distribution of veri�cation
KOV2013 EP2014 RK2015
10
20
30
40
50
60
70
80
90
100
%ofveri�ers
Female
Male
34
General statistics � veri�er activity by gender
●
●●●●●●
●●●●
●●●●●●
●●●●●
●●●
●
●●
●
●
●
●●●●
●
●●●
●●
●
●
●
●
●
●●●
●
●●
●●●●
●
●
●
●
●
●●
●
●
●●●
●
●●●●●●
●
20 40 60 80 100
020
6010
0
Age
Fem
ale
verif
ier
activ
ity (
%)
In KOV2013 veri�ed:
I M: 4.87%
I F: 2.04%
●
●
●●●●●●●●●
●●●
●●●●●●●●●
●●●●
●
●
●
●
●
●●
●●●
●●●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●●
●
●
●
●●
●●●
●
●●
●
●●
20 40 60 80
020
6010
0
Age
Fem
ale
verif
ier
activ
ity (
%)
In EP2014 veri�ed:
I M: 6.26%
I F: 2.11%
●
●
●●●●●
●●●●●
●
●●●●●●●●
●●●
●●●●●
●●●●●●
●
●●●
●●●
●●●
●
●●●
●●
●●
●
●
●
●●
●●●
●●
●●
●●
●●●
●
●
●
●
●
●
20 40 60 80
020
6010
0
Age
Fem
ale
verif
ier
activ
ity (
%)
In RK2015 veri�ed:
I M: 6.16%
I F: 2.64%
35
Veri�cation activity among Mobile-ID users
KOV2013 EP2014 RK20150
5
10
15
%ofveri�ers
Mobile-ID users
Non-Mobile-ID users
36
General statistics � OS popularity by age
0
5
10
15
20 30 40 50 60 70 80 90 100Age
%
OSWindowsMacLinux KOV2013
0
5
10
15
20 30 40 50 60 70 80 90 100Age
%
OSWindowsMacLinux EP2014
0
5
10
15
20 30 40 50 60 70 80 90 100Age
%
OSWindowsMacLinux RK2015
37
General statistics � OS popularity by gender
Linux Mac Windows
MaleFemale
020
4060
8010
0
KOV2013
Linux Mac Windows
MaleFemale
020
4060
8010
0
EP2014
Linux Mac Windows
MaleFemale
020
4060
8010
0
RK2015
38
General statistics � Veri�cation OS popularity (RK2015)
0
25
50
75
100
20 30 40 50 60 70 80 90Age
%OS
AndroidiPhoneWindows
Android iPhone Windows
MaleFemale
020
4060
8010
0
39
General statistics � eID tool popularity by age
0
5
10
15
20
20 30 40 50 60 70 80 90 100Age
%
eIDID cardMobile−IDDigi−ID KOV2013
0
5
10
15
20
25
20 30 40 50 60 70 80 90 100Age
%
eIDID cardMobile−IDDigi−ID EP2014
0
5
10
15
20
25
20 30 40 50 60 70 80 90 100Age
%
eIDID cardMobile−IDDigi−ID RK2015
40
General statistics � eID tool popularity by gender
ID card Digi−ID Mobile−ID
MaleFemale
020
4060
8010
0
KOV2013
ID card Digi−ID Mobile−ID
MaleFemale
020
4060
8010
0
EP2014
ID card Digi−ID Mobile−ID
MaleFemale
020
4060
8010
0
RK2015
41
Conclusions
I Systematic data analysis method has been developed
I Several bugs were found and �xed
I No large-scale attacks were detected against the i-voters
I Observations are similar between the elections
I Interesting phenomena were observed
I Limitations
I Some data not available for investigation
I Attack vs legitimate behaviour
I Unexplained voter behaviour
42