A possible practical application for Qube-os? secure e-voting livecd
Eduardo Robles Elvira
May I present myself in this list, I'm a developer of the Agora
Ciudadana [1] voting system. We are developing a voting system we want
to use in a currently small spanish political party called "Partido de
Internet" and our idea is that our congresists will vote in congress
what people previously voted over Internet, for each voting. Once
created, this powerful voting system could be used in other
environments too. We are all volunteers, currently.
We want our voting system to be as secure as possible and we are in
contact with voting systems and security researchers from all over the
world. For secure e-voting we cannot trust the user's OS system and
simply allow voting using his web browser. We will probably do that in
the testing phase but ideally not when it gets real.
When voting, the citizien authenticates itself by signing with his
national electronic identity card (spanish DNI-e) the encrypted vote.
So we have thought about the creation of a secure LiveCD environment,
in which the user without any network connection and/or mounting the
PC data devices (disk, usb pen drives etc), forges the encrypted vote
and signs it with his DNI-e. Then he disconnects his DNI-e from the
smart card reader and only after that he connects to Internet and
sends the vote. This way if someone finds a bug in the LiveCD and
tries to hack into the user system, it will be too late: he might be
able to change the vote, but without the smart card phisically
connected to the system, he won't be able to forge the signature.
Of course this system is far from perfect. First of all, if the user
BIOS has been compromised, then it might have been changed to boot
another similar but hijacked LiveCD. This is something that AFAIK we
must live with. But then there's also the hassle of having to
configure the Internet connection always after booting the LiveCD for
sending the ballot.
Here I think something like Qube-OS might be a solution: we could have
something better than a LiveCD, a LiveUSB with some writable space on
it. Then we could have isolation between the dom0 VM in which the user
creates the encrypted vote and signs it,the network VM, the VM that
sends the vote to the server, the VM that stores network
configuration, etc. Of course we would need to make all of them be
integrated in one workflow, so that the sending of the vote from one
VM to the other doesn't need the user copy-and-paste but it's
automatic (but somehow restricted/protected), etc.
I don't know if what I'm propossing is such a good idea, you are the
experts here =). We want to support as much user machines as possible
(and I've seen that you recommend 4GB of RAM, though for our single
use case we could try to trim memory usage as much as possible), I
don't really know how qube-os would work in a "single-pen-drive
installation to rule them all (a la LiveUSB)" setting, and I don't
know how difficult would it be to configure the VMs we need to
integrate one with another so that it's not a hassle to the user. Bear
in mind that there will be lots of users doing exactly the same use
case (voting) repeatedly overtime (lot's votings in congress, though
we have vote delegation scheme), so it needs to be as simple as
possible.
What do you think, am I crazy nuts or could it work? What are your
thoughts, suggestions, recommendations? Thanks in advance.
Regards,
--
[1] http://www.agoraciudadana.org/en/
--
Eduardo Robles Elvira edu...@wadobo.com +34 668 824 393
Wadobo Software S.L. http://www.wadobo.com it's not magic, it's wadobo!
Joanna Rutkowska
Correct. Assuming we can ensure (attest to the user) that what he booted
was indeed a legitimate "Spanish Voting LiveCD", and not some
compromised LiveCD...
> Of course this system is far from perfect. First of all, if the user
> BIOS has been compromised, then it might have been changed to boot
> another similar but hijacked LiveCD.
Exactly. Although this would qualify as a rather sophisticated attack.
> This is something that AFAIK we
> must live with.
Not necessarily. Incidentally we're planning to release something to
prevent exactly such attacks within the coming days, so I suggest you
just a wait a few days, observing my blog... ;)
> But then there's also the hassle of having to
> configure the Internet connection always after booting the LiveCD for
> sending the ballot.
>
> Here I think something like Qube-OS might be a solution: we could have
> something better than a LiveCD, a LiveUSB with some writable space on
> it.
What would you like to use the writeable space for? Just out of curiosity?
> Then we could have isolation between the dom0 VM in which the user
> creates the encrypted vote and signs it,the network VM, the VM that
> sends the vote to the server, the VM that stores network
> configuration, etc. Of course we would need to make all of them be
> integrated in one workflow, so that the sending of the vote from one
> VM to the other doesn't need the user copy-and-paste but it's
> automatic (but somehow restricted/protected), etc.
>
In Qubes Beta 2 (that is coming SOON) we have introduced a special
infrastructure for inter-VM services (with centrally managed policy
about which VM is allowed to obtain what services from other). So, it
might be useful to implement the architecture you're talking about.
> I don't know if what I'm propossing is such a good idea, you are the
> experts here =). We want to support as much user machines as possible
> (and I've seen that you recommend 4GB of RAM, though for our single
> use case we could try to trim memory usage as much as possible), I
> don't really know how qube-os would work in a "single-pen-drive
> installation to rule them all (a la LiveUSB)" setting, and I don't
> know how difficult would it be to configure the VMs we need to
> integrate one with another so that it's not a hassle to the user. Bear
> in mind that there will be lots of users doing exactly the same use
> case (voting) repeatedly overtime (lot's votings in congress, though
> we have vote delegation scheme), so it needs to be as simple as
> possible.
>
> What do you think, am I crazy nuts or could it work? What are your
> thoughts, suggestions, recommendations? Thanks in advance.
>
It could definitely work. Although for such a simple task (sending just
one vote) perhaps it's an overkill? You would need to think it over
because you know the use model better than I.
> Regards,
> --
> [1] http://www.agoraciudadana.org/en/
joanna.
Eduardo Robles Elvira
If there's a way to prevent such attacks, then we want it - I'll be
observing the blog =).
>> But then there's also the hassle of having to
>> configure the Internet connection always after booting the LiveCD for
>> sending the ballot.
>>
>> Here I think something like Qube-OS might be a solution: we could have
>> something better than a LiveCD, a LiveUSB with some writable space on
>> it.
>
> What would you like to use the writeable space for? Just out of curiosity?
There are basically two possible use cases, the first being for me the
most important one:
* To be able to store the user network configuration. Bear in mind
that the same user will probably boot the liveusb multiple times, so
if he doesn't have some place to store the configuration data it will
be lost, and each time the liveusb boots he would need to
reconfigurate the network... that's a hassle.
* If the network configuration fails, at least the user should be able
to encrypt and sign the vote within the liveusb. Then he should be
able to reboot into his computer main OS, read the ballot file in the
VFAT? partition in the usb pen drive, and send the ballot over the
network.
Of course we could try to store the data in the user's hard disk but
that's an even less controlled place and more error prone.
>> Then we could have isolation between the dom0 VM in which the user
>> creates the encrypted vote and signs it,the network VM, the VM that
>> sends the vote to the server, the VM that stores network
>> configuration, etc. Of course we would need to make all of them be
>> integrated in one workflow, so that the sending of the vote from one
>> VM to the other doesn't need the user copy-and-paste but it's
>> automatic (but somehow restricted/protected), etc.
>>
> In Qubes Beta 2 (that is coming SOON) we have introduced a special
> infrastructure for inter-VM services (with centrally managed policy
> about which VM is allowed to obtain what services from other). So, it
> might be useful to implement the architecture you're talking about.
Nice!
>> I don't know if what I'm propossing is such a good idea, you are the
>> experts here =). We want to support as much user machines as possible
>> (and I've seen that you recommend 4GB of RAM, though for our single
>> use case we could try to trim memory usage as much as possible), I
>> don't really know how qube-os would work in a "single-pen-drive
>> installation to rule them all (a la LiveUSB)" setting, and I don't
>> know how difficult would it be to configure the VMs we need to
>> integrate one with another so that it's not a hassle to the user. Bear
>> in mind that there will be lots of users doing exactly the same use
>> case (voting) repeatedly overtime (lot's votings in congress, though
>> we have vote delegation scheme), so it needs to be as simple as
>> possible.
>>
>> What do you think, am I crazy nuts or could it work? What are your
>> thoughts, suggestions, recommendations? Thanks in advance.
>>
>
> It could definitely work. Although for such a simple task (sending just
> one vote) perhaps it's an overkill? You would need to think it over
> because you know the use model better than
It might seem overkill yeah, but it would definitely qualify as the
most secure way I could think of. The idea is to effectively isolate
as much as possible vote creation from the Internet whilst giving the
user some commodities like not having to configurate the Internet
connection everytime he boots up the liveusb.
Regards,