[E-voting] Checksums - was: Disinformation about Ireland

Pierre Muller pmmaillists at free.fr
Sun Mar 26 02:22:11 IST 2006

Adrian Colley a écrit :
> Are you asking us for useful adversarial information?  I'm a bit busy,
> but I wrote something that might suit:
> http://lists.stdlib.net/pipermail/e-voting/2005-April/004912.html
The checksums issue is very interesting, but I am afraid it is too
technical for this conference. However, it should be very convincing
when talking to IT pros or academics (good news : they began to act).

Below is my reasoning. Yours was probably the same, was it convincing ?

Obviously, these checksums are ineffective. Even an external control (by
unsocketing the EPROMs) would be ineffective, because checksums only
protect against accidental changes : you need cryptography (or a
byte-to-byte comparison) to detect intentional changes. Brasilian VM
use MD5 cryptography (they are wondering to change to SHA1).

IMHO, is is equally important to demonstrate that they are a deception :
poll workers think that they control machine integrity because of this
"hi-tech" magic. Handbooks don't even translate "checksum" into French :
English words look more technical/magic.

The PTB report clearly proves that checksums are intended to be used by
poll workers to check software authenticy (1.4 "In the case of a
processor–controlled machine, any alteration of the installed
software by an unauthorised person will be detected."). We can assume
that Nedap documents too, though they are not available.

So, can anyone consider Nedap as a serious company, if they
intentionally used such an absurd design ?

I tried, but I couldn't find any legitimate use for these checksums :
- if the goal is to control that electronic chips are OK, you don't need
the poll workers. Every PC controls its RAM that way, without asking you
to check something in its handbook. BTW, Nedap uses a third internal
checksum to execute a silent check.
- if the goal is to check the software version, you just have to print
the version number. BTW, machines do it.

Now, I have to anticipate the answer : seals and procedures.

There are contradictions in the CEV report: are current seals made of
plastic or paper ?
- "However there are paper seals that were broken in the process of
gaining access." (App. 2B, p 140).
- Answer from PTB : "An exchange of ROM chips is only possible by
breaking the seals, that means each storage exchange is detectable. In
fact, the complete electronic unit including the ROM chips is two-fold
sealed, by two independent plastic films which cannot be unfixed." (App.
2B, p 146). ==> "which cannot be unfixed". Is that realistic ?

- PTB also adds: "This measure corresponds to the voting machine
requirements of the Irish government (DVREC-2).". ==> We might have
different seals in France. French requirements don't mention seals :
they are very likely not more secure.

Appendix 2C minimizes the risk :
1) "There are so many different kinds of attacks that are possible that,
at first glance, it would seem impossible to adequately protect against
all of them. Testing the machines before the election can find all but
the attacks that add batteries and clocks to the voting machine.
Parallel testing will detect even these problems." (p 166) ==> Quite
presumptuous, isn't it ? The same team then conducted a parallel
election of 40000+ votes with a 0.32% error rate. Then, they had to use
several pages to demonstrate (convincingly) that it was only human
errors. Therefore, parallel testing is not realistic, even though it
would be easier in France : only one candidate to select.

2) "11.2 Recommendations
• A seal with a serial number on it that will be destroyed if peeled
off,..." (p 190) ==> a serial number, that's all ? What about an
hologram ? Do secure seals really exist ? If yes, it won't protect
against internal attacks, either from the machine manufacturer, or the
seal manufacturer.

Pierre Muller, webmaster of http://www.recul-democratique.org
French citizens critical of e-voting.

More information about the E-voting mailing list