SYSSEC: October 2007 Archives

 

October 13, 2007

The Swiss are somehow using quantum crypto to secure e-voting.
Developed by id Quantique in collaboration with the Australian company Senetas, the Cerberis quantum cryptography system will be used to protect election data relayed over a fiber optic connection. Unlike conventional Internet cryptography protocols, which use public key infrastructure, quantum cryptography relies on the principles of quantum uncertainty and generally involves encoding information into photons in a manner that will be noticeably and irreparably disrupted by any form of interception or monitoring. The cryptographic technique is still considered radically experimental, and this is one of the first practical applications of the technique.

Under ideal circumstances, quantum cryptography can ensure that communications between two parties have not been overheard. In the real world, however, quantum cryptography is subject to a number of different attacks. At present, any particle system is probably immune to such attacks because of the technical knowledge required to carry one out.

"We would like to provide optimal security conditions for the work of counting the ballots," said Geneva state chancellor Robert Hensler in a statement. "In this context, the value added by quantum cryptography concerns not so much protection from outside attempts to interfere as the ability to verify that the data have not been corrupted in transit between entry and storage."

I don't really understand what threat this is intended to counter. You've got some set of precincts (or whatever they're called Switzerland in) where the voting actually occurs. Those precincts are equipped with optical scanners, DREs or whatever, and they collect the votes. The votes (or maybe just counts) are sent to election central, where they're aggregated and the winners are determined. Based on this somewhat confusing article, they're using quantum crypto to secure that transmission over dedicated optical lines.

This seems both unnecessary and unwise. It's unnecessary because you don't really need to use a network to move the data. Just write it on CDROMs and drive or mail it to election central. The only reason to move it over a network is to make it a bit faster—something which seems sort of irrelevant if the election is being held within a single city. Even if you for some reason think that shipping stuff is too slow, you can always send the data over the network and then follow up with physical media as a double check. Note that the security issue here isn't primarily confidentiality—this data is sensitive but not that confidential, especially if you're just shipping tallies around. You just need integrity and you can double-check against the physical copies to match the preliminary results to the final results.

As for unwise, it's a really bad idea to have the computers at election central connected to the network, since that's a potential avenue for intrusion. Even if you use cryptographic (quantum or otherwise) access control to prevent any communication from the outside world, you're deliberately letting precinct devices connect to election central, which allows someone who has compromised a precinct device to potentially escalate privileges up to a compromise of election central. Since those devices generally aren't secured that carefully, That's not a really good design choice—even if we ignore the usual reasons why quantum crypto isn't that convenient.