FI86486C - FOERFARANDE FOER ATT ARRANGERA TELEROESTNINGEN PAO ETT SAEKERT SAETT. - Google Patents

Description

1 86436

A method for securely organizing teleconferencing. -Förfarande för att arrangera teleröstningen pä ett säkert sätt.

Tele-voting refers to a voting procedure in which voters are offered the opportunity to exercise their voting rights, for example by using a telecommunications connection.

The fundamental nature of teleconferencing is such that a telecommunications network used as a telecommunications medium must meet certain requirements in order to be eligible for teleconferencing in general. The main requirement is that the network must be geographically comprehensive, meaning that voters must have as easy access as possible. Telecommunications media that are most relevant to teleconferencing are, for example, the public switched telephone network, public circuit-switched data transmission networks or public packet-switched data transmission networks.

However, the high geographical coverage of the network used as a communication medium poses a problem for the conduct of voting and, in particular, the preservation of electoral secrecy. Easy access to these networks makes them vulnerable in terms of privacy.

The traditional view has been that one of the main obstacles to the introduction of teleconferencing systems has been precisely that election secrecy cannot be guaranteed in these procedures.

The method which is the subject of the present invention makes it possible to ensure the secrecy of elections in teleconferencing.

Electoral secrecy in voting is the sum of several different factors. The most important thing is usually considered to be the secrecy ... of voting information. That is, the fact that the voting choice of a private voter does not fall into the hands of anyone other than the voter himself under any circumstances.

2 86486 Ensuring mutually reliable identification is also an important issue for electoral secrecy in voting systems. In order for the system to be considered secure, the voter must be assured that he or she is in fact connected to the voting machine as intended and not, for example, to an eavesdropper that mimics the operation of a voting machine. Similarly, it is important that the voting machine has the ability to verify the identity of the voter. This is because the voter would only be able to exercise their own voting rights.

Perhaps a slightly less important issue for electoral secrecy is generally perceived to be the protection of the fact that a particular voter has exercised his or her right to vote in a particular vote. For example, this security requirement is not met in traditional elections. Whether or not a particular person has gone to the polls is always, in principle, public information.

However, from the point of view of electoral secrecy, according to the general principles attached to it, it would be essential that the information on whether or not a voter voted in a particular vote could be protected. There has even been a lot of public comment on this issue. These assess that it is morally questionable to disclose whether or not a voter has exercised his or her right to vote.

A significant threat to all voting systems is also an attack on a system that seeks to manipulate the actual outcome of an election.

Method operation and areas of application

The method according to the invention makes it possible to implement a telecommunication system in which all the above-mentioned elements of election secrecy can be secured.

3 8 6 4 8 6

Figure 1. shows a functional block diagram of a method according to the present invention. The following components can be distinguished: 1. The voter's computer (VC) on which the person entitled to vote performs voting.

2. A physically secure voting computer (PPVC) that processes voting data for storage in a format that can be stored in a separate voting file (VF). The physically protected computer is implemented so that unauthorized persons do not have access to the stored secret keys or other confidential information. It is also not possible to interfere in any way with the functions, flow and so on performed by said physically secure data processing body.

3. Voting file (VF), which stores the voting results as received from voters. It should be noted that the file is stored outside a physically secure data processing device, however, its processing is protected using cryptographic methods. The file is protected against both disclosure (encryption) and attempted alteration (sealing). The seal of a file is calculated so that it depends on each bit of information in said file, so that a change in any bit causes an average of 50% change in the bits of the seal, using a master key (Km) inside the physically protected data processing element ·: is known only to the said voting computer (PPVC). The seal depends not only on the above-mentioned voting data and the master key (Km) but also on the random vector (RV) created by the physically protected data processing device itself. This is because you can protect yourself from possible copy-type attacks. These attacks are such that they seek to use previously obtained sealed or encrypted information by replacing it with current information.

4. Voting Result File (VRF), in which the voting computer (PPVC) calculates the actual result of the election from the stored voting file (VF).

5. A public key file (PKF) containing the public key corresponding to each voter.

The system according to the invention is suitable for use, for example, for continuous monitoring of the climate of opinion, decision-making, holding an advisory or binding referendum, for example: - in matters concerning the whole state - in municipal matters - in decision-making by communities and organizations (eg parties);

The method according to the invention can be applied to numerous other applications as well. These applications to which the method is suitable are, for example, stock exchange and other order transmission systems and electronic payment transaction systems.

Physically protected is central to the operation of the system. . ·. a voting computer (PPVC) to which the voter is connected with his or her own voter computer (VC).

'The system can also be implemented in a distributed way (Figure 2), e.g. · ;;; the nationwide system can be decentralized into subsystems '' - ·· systems into counties, which in turn can be decentralized into subsystems into municipalities. This creates a hierarchical system in which the lowest level of the hierarchy, the municipalities, has the required number of subsystems made up of voter computers (VCs) and local voting computers (LPPVCs). The next '. At the hierarchical level are, for example, county-level voting computers (RPPVCs), in relation to which local-level voting computers are in the position of voter. Similarly, at the highest level of the hierarchy, county-level voting computers (RPPVCs) are connected to a nationwide physically secure voting computer (CPPVC) that computes nationwide-level results.

The achievable advantages of the method are, for example: 1. Carrying out teleconferencing in real time, for example, while protecting the electoral secrecy of a private voter. Real-time is a significant advantage over traditional voting systems. Traditionally, voters are given the opportunity to influence, for example, once every four years. With the method according to the present invention, voting results (VRF) are obtained daily and even even faster.

2. Recording, encryption and sealing of voting data in such a way that data manipulation is prevented.

3. Whether a voter has exercised his or her right to vote may be protected. This is an additional advantage of systems under this method compared to traditional electoral systems.

The basic object of the invention is to provide the voter with a secure route in terms of data protection for the transmission of voting data through the voter's computer (VC) to the voting computer (PPVC) and from there on to the voting database (VF).

;: · The voting database in question is a file in which the voting information provided by all voters is stored centrally. Another at least as important goal is to provide voters with reliable information about voting results. This is necessary because the organizers of the ballot do not have the opportunity to manipulate the final voting results.

6 8 6 4 G 6

A prerequisite for achieving the above objective is to ensure the following: 1. The voter must be assured that he or she is talking specifically to the voter's computer (VC) and not, for example, to the eavesdropping simulator.

2. The voter's computer (VC) must provide security for the voter's identity.

3. The voter's computer (VC) must be able to authenticate the voting computer (PPVC), ie there must be mechanisms by which the voter's computer (VC) can verify the identity of the voting computer (PPVC).

4. The processing and storage of data on the voting computer (PPVC) and the voter's computer (VC) shall be organized in a secure manner. This primarily applies to information that is important for election secrecy, such as the voting information of individual voters.

5. The calculation of voting results (VRF) on a voting computer (PPVC) must be carried out in a secure manner. Voting data must therefore under no circumstances be leaked in plain language outside the • physically protected part of the voting computer (PPVC). This means that if voting data are not physically protected, they must be protected, for example, using cryptological methods (encryption, sealing-- f; ti). 1 Voting result calculation (VRF) algorithms shall be such that it shall not be possible to infer from the calculated voting results (VRF) the voting information provided by an individual voter. This also applies to so-called combined attacks, 7 86426 in which several database searches, none of which as such reveal confidential information, but the appropriate combination of such database searches do so. Voting computer (PPVC) voting result (VRF) calculation algorithms must therefore include checks to detect such attacks.

7. The storage of public information related to cryptography and authentication (eg public key system public keys) stored on the voting computer (PPVC) and the voter's computer (VC) shall be arranged in such a way that it is not possible for third parties to change this information without the voting computer (PPVC) noticing these changes.

8. There is a secure way to transfer voting results to voter information without anyone having the opportunity to manipulate that information in between.

In an implementation of one of the methods of the present invention shown in Figure 1, voter identification is based on the magnetic card in his possession and only the password known to that voter.

Authentication between the voting computer (PPVC) and the voter's computer (VC) is performed in the system in question. using public key methods. Each voter's computer (VC) has its own secret key, which is held exclusively by said computer. This key, like all other confidential information of the voter; · 1: The computer (VC) is stored in a physically secure location.

Correspondingly, the voting computer (PPVC) has its own secret key, which in the same way is only and exclusively in the possession of said information ... and is physically protected.

a 86486

More detailed information on the methods of public keys, their operating principles and reliability is not presented here, but reference is made to the literature references below.

1. Beker H., Piper F., Cipher Systems, The protection of Communications, Edindburgh and London, Northwood Publications, 1982.

2. Seberry, Pieprzyk, Cryptrography, An Introduction to Computer Security, New York, Prentice Hall, 1989.

3. Davies D. W., Price W. L., Security for Computer Networks,

An Introduction to Data Security in Teleprocessing and Electronics Funds Transfer, Chichester, John Wiley & Sons, 1984.

* · · 1 «· · · 9 8 6 4 86 EXAMPLE:

Below is a detailed description of the individual voting event.

Voter Voter Computer (VC) Voting Computer (PPVC) 1. Authentication Request <----------------------------- 2. Authentication Information (Magnetic Card Information) and PIN) --------------------------> 3. Authentication Acknowledgment <--------- --------------------- 4. EtKp ^ OD ^ ID ,,, O ,, »-,» ------------ ------------------------------> 5 - E (Kpi, E (Ksk, aov, ID „, c ,, Rt , c2, r2 »<----------------------------------------- 6. E (Kpk, E (Ksi, «DV / 10„, Ct, Rt, c2, R2 »---------------------------- --------------- 7. Polling poll <-------------------------- 8. Transmission of voting information (VOTE) ...........................—> 9. E (Kpk / E (Ksi, tIDv / IDb / Ct, Rt, C2, R2 ») --------------- - -----------------------> 10 . E (Kpi, E (Ksk, «Ov, IOni, Ci, RT, C2, R2 / VOTE» <------------------------- -----------------;: 11. Acknowledgment of vote .......................... ......

12. Polling poll ................................> 13. E (Kpk / E (KS ^, {I0V , IDb, Ct, Rt / C2, R2, RESULT_REQ>)). '---------------------------------------- 14. 14. E (Kpi / E (Ksk, aDv (, XD |, / CT, RT, C2, R2 / VOTING_RESULT ») <-------------------------- --------------- 15. Forwarding of voting results • <............................. ..

----: 16. DISCONNECTING THE CONNECTION

<................... <> ....................> 10 864ο 6 Voting operation step by step is as follows: 1. The voter's computer (VC) requests authentication.

2. The voter shall provide authentication information, PIN code and magnetic stripe card line information.

3. The voter's computer (VC) checks the voter's authentication information and gives the voter a positive acknowledgment if the authentication was successful.

4. The voter's computer (VC) sends an authentication request to the voting computer (PPVC). This message is encrypted with the public key of the voting computer (PPVC), so only the voting computer (PPVC) can interpret it. This fact is at the same time partial authentication. Namely, if the voter's computer (VC) can later verify that the opposite device has been able to interpret the message sent by him correctly, the voter's computer (VC) can verify the identity of the voting computer (PPVC). The message contains the unambiguous voter identification number IDV, the voter computer identification IDm, the constant field C1 and the random number R1. The constant C1 is included in the message because the voting computer (PPVC) - * when interpreting the message can decide whether the received message is actually a message that is assumed to be received i.e. i.e. reasonable. A random number generated by the voting computer (PPVC) itself is included in the message to ensure that said authentication sequences look different each time. This is necessary to eliminate the so-called. replay attacks.

• »··» · ... 5. Voting computer (PPVC) after receiving a message sent by the voter information machine (VC) in which the identity of the voter and the voter's computer is revealed to the voting computer (PPVC), li 8 6 4 S 6 checks the standard field of the message. If the standard field is what it should be, that is, what is agreed at system level as the relevant standard field, the voting computer retrieves the public key corresponding to the respective voting computer from the sealed public key file (PKF), checks the seal and sends the authentication acknowledgment message back to the voter's computer (VC). The message contains the voter identification IDV, the voter computer identification IDm, the constant C1 and the random field R1 sent by the voter's computer (VC), and the corresponding second constant field C2 and the random field R2. The meaning of the latter two fields is the same as the corresponding fields sent by the voter's computer (VC). The message is encrypted in such a way that the top-level encryption is encrypted with the public key of the voter's computer (VC) and the internal encryption is performed with the secret key of the voting computer (PPVC). The purpose of external encryption is to prevent the disclosure of information. This is ensured by the fact that no one other than the voter's computer (VC) can to decrypt the message because this requires the secret key of the voter's computer (VC), which is only held by the voter's computer (VC). The purpose of internal cryptography is to authenticate the voting computer (PPVC) to the voter computer (VC). Similarly, this is ensured by the fact that only the voting computer (PPVC) has been able to perform said encryption, since only it has the said secret key.

· It should be noted that after step 5, the voting computer (PPVC) has authenticated itself to the voter's computer (VC), but there is still no certainty about the authenticity of the voter as well as the voter's computer (VC), as anyone could have sent the message mentioned in step 4. . 1 The voter's computer (VC) sends a message similar to the previous step. As an external, the function of the encryption i2 86 4 86 is to prevent the disclosure of the information content of the message. The public key of the voting computer (PPVC) is used as the encryption key here. This encryption can only be decrypted by the voting computer (PPVC), as only it has the corresponding secret key. Correspondingly, the internal encryption is performed using the secret key of the voter's computer, so this entails the authentication of the voter's computer (VC). This is because only the voter's computer (VC) has been able to perform said operation, as only it has this secret key.

It should be noted that after step 6, authentication is performed on both sides. The voter's computer (VC) has been assured that the opposite is really the voting computer (PPVC) that does. Similarly, the voting computer (PPVC) has obtained assurance of the voter's computer (VC) as well as the voter's identity.

7. After step 6, once all the authentications have been completed, a secure communication connection is also established between the voter and the voting computer (PPVC). Voting data can therefore now be transferred from the voter to the voting computer (PPVC). This happens in two stages. First, the voting computer (PPVC) asks the voter *: · 'for voting information.

8. The voter answers with the desired voting information. This information can contain quite a variety of information. It may include information on the vote to be taken into account, whether it is possible to cancel or change previous votes, whether to take part in a new vote and the actual voting information.

9. The voting information provided by the voter is sent by the voter's computer (VC) to the voting computer (PPVC). Message i3 86486 includes similar standard and random fields as in previous messages. These have been added for the same reason, that is, to bring randomness against repetitive and other attacks. Cryptography is also performed in the same way as before; the outer encryption is again for masking the information while the inner encryption level is for message authentication.

10. The voting computer (PPVC) checks the correctness of the received message using standard and random fields and stores the voting information in the voting database. In this context, the integrity of the voting database is also checked by opening the seal of the voting database using a random vector (RV) located inside a physically protected data processing element (PPVC) and a master key (Km). The new voting information is added to the voting database by creating a new value for the random vector (RV) and using this and the master key (Km) to encrypt and seal the voting information in the database. An acknowledgment is then given to the voter's computer (VC). The same principles as in previous messages are used to generate this acknowledgment to ensure information encryption and message authentication.

11. The voting computer (PPVC) receives the acknowledgment message from the voter's computer (VC), verifies its correctness and, if the message was authentic and error-free, notifies the voter that the voting information provided by the voter has now been submitted to the voting database. The voter's computer (VC) then closes the connection.

12. The voter requests the voting results from the system.

13. The voter's computer (VC) presents a voter's voting result request to the voting computer (PPVC). Similar are used here. encryption and authentication mechanisms than in the previous • · 14 en. <, <r <Ο ο Η υ 0 stages.

14. The voting computer (PPVC) sends the calculated voting result to the voter's computer (VC). This transmission is also adequately protected from possible tampering. Here, the encryption of the information to be transmitted is no longer very important, as the results of voting are usually public information.

15. The voter's computer (VC) sends the received voting result information to the voter.

16. The connection between the voting computer (PPVC) and the voter's computer (VC) is disconnected.

Claims (6)

15 8 6 486 1. A method for the secure conduct of teleconferencing, characterized in that all processing of voting data is carried out within a physically secure data processing device (PPVC) so that at no point any voting information provided by individual voters appears outside said physically secure data processing device (PPVC) in plain language or interpretable by a non-physically secure data processing authority (PPVC). A method according to claim 1, wherein the identity of the voter can be verified so that the voter can only exercise his or her own voting right, characterized in that this fact is ensured by the fact that only the voter's computer (VC) holds a secret key or other secret information, whose possession is verified by the voting computer (PPVC), and that, accordingly, since the voter computer (VC) has identified the voter, an authentication chain is provided from the voting computer (PPVC) to the voter, which verifies the voter's identity. A method according to claim 1, by which the voter --- can verify the authenticity of the voting machine, i.e. that the voter is connected specifically to the voting machine for which it is intended, characterized in that this fact is ensured by the fact that only the voting computer (PPVC) has a secret key or other secret information the possession of which is verified by the voter's computer (VC). A method according to claim 1, characterized in that the voters' public keys can be stored outside the physically protected data processing means, however, such that the keys are sealed so that the value of said i6 86 466 seal depends not only on said public keys but also on the physically protected data processing means itself. the random number (RV) and fixed key (Km) it generates, a feature that ensures that it is not possible to change key information or, for example, reuse obsolete information. A method according to claim 1, characterized in that the voting data provided by voters can be stored outside the physically protected data processing means, however, so that the voting data is sealed and encrypted only with a key inside the physically protected data processing means so that the value of said seal depends not only on said voting data but also physically. a random number (RV) and a fixed key (Km) generated by the data processing body itself, which feature ensures that it is not possible to change the voting data or, for example, to reuse obsolete data. A method according to claim 1, characterized in that the voting results can be transmitted to the voters so that the voter can verify their authenticity, i.e. that said voting results are calculated from the given voting data (VF) and that the voting results are not manipulated during their calculation or transmission. . i7 8 6 4C 6