Twitter | Search | |
Matthew Green
So I’m a little torn. Yesterday for fun (yes, I have bad work-life balance) I took a look at some of the e-voting code that the agency recently provided under bug bounty. Apparently it’s being used in real elections. 1/
Reply Retweet Like More
Matthew Green 18 Feb 19
Replying to @SarahJamieLewis
I did maybe an hour’s poking with , who also has bad work/life balance, and in that hour we found a whole bunch of non-cryptographically-secure parameters being used in their test code. So we commented on it. 2/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @swisspost
Woke up to a tweet from informing me that I “may have missed” a note on page 48 of their 163-page protocol spec, that informs the reader of the “production parameters”. They’re not included in the code. 3/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
The actual parameters are larger and will be generated using some unspecified process. So I felt a little bad about that, even though on reflection, I don’t exactly know how they could have done a worse job at specifying this. 4/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
Maybe if they’d hid them in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard,’ I would have found them. :) 5/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
As some kind of penance I spent the day poking through their specs and code and OH LORD I love complicated crypto, but this terrifies even me. I can’t even make sense of some of these code patterns to find the right routines, let alone verify they’re correct. 6/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @SarahJamieLewis
I think has done a great job at showing a million different scary things in that code. Go read her timeline. Here’s one just for fun: 7/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
In any case, I’m not going to drop a bunch of vulns because I don’t understand this code well enough to find them yet, and Sarah’s comments are worrying enough. Instead I’m going to explain what this thing is supposed to do — and why even the smallest bug is so dangerous. 8/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
When you vote, your ballot is encrypted. The magic of this system is that it can do four things: 1. Verify your ballot is legit. 2. Strip away your ID, and cryptographically shuffle ballots. 3. Add the ballots up *without decrypting them*. 4. Decrypt the final tallies. 9/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
The beauty of this system is that nobody can see what’s in the ballots. So I could try to vote twice. Or much more worryingly, the shuffle step could just *replace* all the ballots with new ones that elect, say, a Swiss cryptographer to office. 10/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
All of these bad things are kept at bay with one of my favorite tools: zero knowledge proofs. A ZKP makes sure you can’t vote 10,000 times. A ZKP makes sure that the shuffler (mix) doesn’t just throw away and replace all the ballots. (Actually this is a MESS of proofs.) 11/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
The wonderful, horrible thing about zero knowledge proofs is that when they work, they’re amazing. When they fail, they can fail *undetectably*. Believe me, I have stories. 12/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
What I’m trying to get across here is that this is *not* exactly like a bad online voting system, where the attacker maybe has to tamper with thousands of clients. If there are bugs in these proofs, the attacker could potentially do a huge amount of damage. 13/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
In the worst case, a malicious or hacked shuffling (mix) server could simply pick the next Swiss president. Or chocolate king —whatever the equivalent is over there. I kid!! ;) (Note to self: learn something about the Swiss political system.) 14/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
All of this is a long-winded way of saying that, no, a bug bounty is NOT the right tool to evaluate something so complex and fragile. PARTICULARLY when, thanks to enterprise Java, huge portions of the critical code look like this: 15/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
So to summarize this long tweet thread: *no* it is not the case (apparently) that this code is trivially broken. *no*, that does not make it safe to use in real elections, nor (as far as I know) has it been audited by anyone competent enough to really bless it. 16/
Reply Retweet Like
Matthew Green 18 Feb 19
Replying to @matthew_d_green
In summary, that is my story of how I ticked off the Swiss Post office and learned more about Java cryptography than I ever wanted in my head. Fin/
Reply Retweet Like