On Fri, Mar 07, 2003 at 07:16:04PM -0600, Manoj Srivastava wrote:
> People interested in following the ebb and flow of voting can
> find it all on: http://master.debian.org/~srivasta/leader2003.html
So, here's an exploit. First, the case of characters:
A - Alice, a Debian developer trying to vote
V - vote.debian.org
M_x - Mallory, a malicious person who's trying to stop Alice from
voting how she wishes, masquerading as x
Also:
S_x ( Y ) means Y, signed by x
E_x ( Y ) means Y, encrypted to x
Alice happens to want to change her vote. Here's what she tried to do:
A -> V : S_A( I vote: 12345 )
V -> A : E_A( Your vote was: 12345, your magic number is: N )
A -> V : S_A( I vote: 43215 )
V -> A : E_A( Your vote was: 43215, your magic number is: N )
If Mallory intercepts her mail, we can have:
A -> M_V : S_A( I vote: 12345 )
M_V -> A : E_A( Your vote was: 12345, your magic number is: N )
A -> M_V : S_A( I vote: 43215 )
M_V -> A : E_A( Your vote was: 43215, your magic number is: N )
Of course, something this simple can be detected by going to [0] and seeing
if your name is in the list of voters. In the correct case it will be, if
Mallory's been interceptiing your mail, it won't be. Mallory can be slightly
cleverer though, and do:
A -> M_V : S_A( I vote: 12345 )
M_A -> V : S_A( I vote: 12345 )
V -> M_A : E_A( Your vote was: 12345, your magic number is: N )
M_V -> A : E_A( Your vote was: 12345, your magic number is: N' )
A -> M_V : S_A( I vote: 43215 )
M_V -> A : E_A( Your vote was: 43215, your magic number is: N' )
and thus cause Alice's change of vote to only be accepted if it benefits
Mallory. This will be caught by Alice after the vote is over, because
she won't know N to verify her vote, but she hasn't really got any way
of proving that she tried to change her vote. She doesn't have any way
of telling that there's a problem until the vote's over.
Note that Mallory doesn't find out "N" either.
This could be fixed by vote.debian.org having a well known key, and signing
acks. It could be fixed by having a dummy tally file that indicates which of
your votes is being counted, eg, having the vote protocol be:
A -> V : S_A( I vote: 12345 )
V -> A : S_A( You voted: 12345, your number is N, this is vote #3)
for the third time you change your vote, and including:
md5( #3, Alice, "----1", N )
in a running tally. The final tally file should still include:
12345 md5( Alice, N )
Having the different contents in the md5 stops you from being able to use
the running tally to interpret the final md5sum. Note that if you know
md5(X), and can bruteforce Y, you can work out md5(X, Y); I don't believe
the reverse applies, so some care is required here -- including md5(Alice,
N, 1) in the tally would let you do a matching attack against the list
of people who've currently voted after the final tally comes out, eg.
Cheers,
aj
[0] http://bugs.debian.org/%7Esrivasta/leader2003_voters.txt
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``Dear Anthony Towns: [...] Congratulations --
you are now certified as a Red Hat Certified Engineer!''
Attachment:
pgpnXw6TOv3b3.pgp
Description: PGP signature