Biometric for E-voting in the UK - Article Example

e-Voting institution’s name course module instructor date of submission 1a) Biometric for e-Voting in the UK Biometric identification involves identifying individuals by their human characteristics as opposed to other modern methods of identification such as passwords, identification cards, passports etc. There are different technologies used to make such identifications. The accuracy of the different technologies available in the market vary greatly in the type of human characteristic such as voice, finger prints, body shape etc that they seek to identify. There are two main categories of biometric techniques namely; physiological and behavioural techniques. Physiological techniques are based on physiological traits such as fingerprint verification, ear recognition, iris/retina analysis, facial analysis, odour detection, DNA pattern analysis etc. Behavioural techniques are based on behavioural traits such as handwritten signature verification, keystroke analysis and speech analysis (Soram & Khomdram, 2010). The UK, in consideration of e-voting is best suited to adapt DNA pattern identification and hand written signature verification. Same way as physiological techniques, DNA pattern analysis is more reliable and secure as compared to behavioural techniques such as hand written signature verification. In the case of e-voting in the UK, the DNA testing can be adapted for identification purposes in the system. This will involve creating a DNA database of all voters that is web based. Voters will thus be able to prove their identification by matching their DNA pattern from wherever they are with the one in the database. Soram and Khodram (2005, p. 1) support this by saying that “the digital nature of DNA information enhances the accuracy in authentication enabling the development of DNA based personal identifiers.” However, one major shortcoming of DNA is authentification cannot be done in real-time. Again the physical sample required is detachable from the owner such as hair saliva increasing FAR (Maestre, & Nichols 2009). The use of DNA systems and other biometric systems have their own vulnerabilities. Soram and Khomdram (2010) classify them as analytical and mathematical. Oostveen and Besselaar (2003) say that the main concept of e-voting is to encourage higher turnout by voters wherever they are. Misuse of the technology by voters is a likely hindrance to the e-voting process. The fact that the DNA system uses biometrics that can be detached from the carrier such as finger nails, hair, saliva etc shows that the system is vulnerable to spoof attacks. Storage of data is another issue in terms of the information contained on the DNA sample such as medical history, hereditary conditions etc. Maestre, & Nichols (2009) evaluated the vulnerabilities of signatures and recognised that there were FAR in synthetic signatures than in on paper signatures. E-voting tends to rely more on synthetic signatures hence increases the risk of abuse the process undetected. b) Public support for biometric enabled eVoting The biometric systems often used in e-voting have a great influence on the public opinion towards e-voting. The greatest concern as indicated by a study carried out by Maestre, & Nichols (2009) has to do with privacy issues especially where DNA system is used. The main concern is the safety of information contained in the DNA samples stored in the database. Nonetheless, the accuracy of e-voting is widely accepted by the public in many countries only that there are concerns over the security risks and the efficiency of the technologies. In Switzerland for instance, trials of e-voting were extended to cover 12 cantons out of the total 26 during this year’s November elections (Fenazzi 2010). No major difficulties were reported thereby showing immense public support and acceptance of the process as genuine, fair and fool proof. The UK public is worried about the security threats of e-voting. Pilot studies for e-voting were conducted in the UK during the May 2007 elections. During the e-voting pilot elections, the UK Electoral Commission ordered an end to the processes. The reason was that there “Concerns were raised about low public confidence in the security of internet and phone voting, accessibility, and technical difficulties” (BBC 2007). Although the pilot elections were aimed at assessing the suitability of adopting an electronic voting system for the UK, the public was already apprehensive casting doubts over the possibility of adopting e-voting for the whole nation. Other countries have tested e-voting with different results in term of public acceptance. In Belgium, e-voting has been widely accepted unlike in other countries. One of them is Bahrain where the opposition parties have expressed concerns over the possibility of manipulation of results. One of the major political parties opposed to e-voting in the Al Wefaq Political Society, which won 16 out of 40 parliamentary seats in parliament in 2006 (Khaleej Times Online 2010). Despite such reported cases of opposition, the number of countries trying e-voting has increased over time though the progress is hampered by the 4-5 year election cycles that limit pilot studies. 2 a) Repudiation in e-voting Repudiation in the e-voting context has been defined in many different terms. In general, however, repudiation is the ability of a person to confirm involvement in a particular act in given circumstances. Through repudiation, a person cannot for instance deny or withdraw his vote. Non-repudiation on the other hand refers to the concept of making sure that a voter cannot deny involvement in a vote or the concept of him not denying his vote. Through repudiation, the voter can deny his vote if need be. Gritzalis (2003) says that non-repudiation is about providing proof that a particular act was actually performed. Ha adds that the non-repudiation feature should, in fact be avoided, since the voter does not want to disclose the authorization of a vote regardless whether or not he actually did the vote. Non-repudiation is however recommended in certain elections. A good example is the case of electronic bidding where the anonymity of the bidder is protected. With non-repudiation, a bidder cannot withdraw his bid without being detected while at the same his identity is protected. Non-repudiation is most applicable where there is a central administration holding the database. This issue of non repudiation however makes it problematic for national or major political elections. This is because once a person is registered as a voter but abstains from the voting process, then the administrators who manage the database have the ability to vote on behalf of the voter undetected. Non-repudiation makes an impractical assumption that all registered voters will participate in the process and where one does not feel like participating should cast a blank ballot (Damgard, et al 2002). Repudiation is necessary requirement for fighting rigging of elections. By enabling repudiation, votes cast can be traced back to the voters. Therefore, repudiation is an integral tool in lowering FAR and FRR. In cases where there is suspected rigging in elections, votes have to be traced back to the voters. Proponents of non-repudiation in the voting process cite the issue of privacy and confidentiality of voters as valid grounds for withholding the identity of the voter. They view repudiation as malpractice. Conversely, proponents of repudiation in the e-voting process argue that repudiation creates relative certainty that the whole voting process will fair just and free of defectives. In a case where repudiation works well, voters should be capable of verifying their participation in the voting process but no one can tell who they voted for (Security Vulnerabilities in SSL/TLS n.d.). This is called blind signature. It involves a voter interacting with an authority in plain text that verifies his eligibility to vote but confirms he has not already done so. The authority then issues a blind signature on the ballot without the authority learning the contents of the ballot. 2 b) safety of SSL/TLS and RSA The SSL/STL protocols have been use in a number of years and they have proved reliable until the detection of attacks. These vulnerabilities are basically classified into two, technical and organizational. The table lays emphasis on technical vulnerabilities and gives a brief mention of organizational vulnerabilities. Eavesdropping: SSL provides a lot of plaintext for eavesdroppers. Such attacks can be halted by strengthening the algorithm does not secure SSL completely from attacks. SSL and TLS use both symmetric and asymmetric cryptography. Asymmetric encryption is used for authentification while symmetric encryption is used for transfer of large data due to its ease of computation (Wagner & Scheiner 1996). Traffic analysis Traffic analysis aims at retrieving confidential information about protected sessions by analyzing unencrypted packets fields and unprotected packet aspects. By doing so, an attacker can trace the unencrypted IP source and destination and determine the parties interacting and the type of transaction involved such as online shopping or tax remittance (Wagner & Scheiner 1996). Replay attack This kind of attack involves a third party, the attacker capturing an encrypted on unencrypted message in transit from a source to a destination. The attacker then resends the message to the destination. Weak boundary security Increased reach of business and online transactions has implied movement of data across organizational boundaries that undermine the traditional notion of network parameter. The weakening of network boundaries is more common due to; third party database hosting and internal applications that invoke web services provided by business partners. Variation in voltage supply Varying the voltage supply to the holder of the SSL private key using home mad devices stresses out the computer forcing it to give the private key in bits that can be reconstructed. This was demonstrated by scientists at University of Michigan. However, this type of vulnerability is not likely is large institutions. Organizational weakness Storage of unencrypted data in smart phones and laptops has played a role in weakening SSL and RSA. Additionally, poor training of end users such as organizational employees have demonstrated their contribution to increasing the vulnerability of SSl/TSl and RSA. References Alkassar, A. & Volkamer, M. (2007). E-voting and identity: first international conference, VOTE-ID 2007, Bochum, Germany, October 4-5, 2007 : revised selected papers. New York: Springer BBC (2007).Halt e-voting, says election, bodyhttp://news.bbc.co.uk/2/hi/uk_news/politics/6926625.stm Damgard, I. Groth, J. & Salomonsen, G. (2002). The Theory and Implementation of an Electronic Voting System. in Secure Electronic Voting, (ed. D. Gritzalis). New York: Kluwer Academic 2003. pp.77-100 Fennazzi, S. (2010) E-voting trials extended but progress is slow http://www.swissinfo.ch/eng/politics/swiss_abroad/E-voting_trials_extended_but_progress_is_slow.html?cid=28681782 Gritzalis, D. (2003). Secure electronic voting. New York: Springer Hornickel, A. (2006). Conceptual Study on E-voting in Belgium. Master thesis. Retrieved from, http://alexandria.tue.nl/extra1/afstversl/wsk-i/hornickel2006.pdf Khaleej Times Online. (2010). Opposition rejects e-voting for Bahrain polls. Retrieved from, http://www.khaleejtimes.com/DisplayArticleNew.asp?col=§ion=middleeast&xfile=data/middleeast/2009/July/middleeast_July428.xml Oostveen, A. & Besselaar, P. (2003). E-voting and media effects, an exploratory study. Retrieved from, www2.lse.ac.uk/media@lse/research/EMTEL/Conference/.../Oostveen.pdf Security Vulnerabilities in SSL/TLS (n.d.). Retrieved from, http://isis.poly.edu/courses/cs682/labs/393lab5.pdf Soram, R. & Khomdram, M. (2010). “Biometric DNA and ECDLP-based Personal Authentication System: A Superior Posse of Security.” International Journal of Computer Science and Network Security, VOL.10 No.1, January 2010 Wagner, D. & Schneier, B. (1996). Analysis of the SSL 3.0 protocol. Proceedings of the Second USENIX Workshop on Electronic Commerce Oakland, California, November 1996. Retrieved from, https://www.usenix.org/publications/library/proceedings/ec96/full_papers/wagner/wagner.pdf Read More