Improved Remote Attestation for Online Voting

Astract:

Remote attestation and trusted execution environ- ments are promising technologies for securing online voting. With remote attestation the different components of an online voting system can prove their trustworthiness to each other. But the trust established through remote attestation fully depends on the trust in the third party signing the endorsement certificates. A high stakes process, like voting in general, allows for powerful adversaries. Such an adversary, for example an entire nation state, has the power to coerce the trusted third party into compromising certificates. We propose a threat model in which the third party issuing the endorsement certificates is compromised and an attacker gains access to an attestation key with valid endorsement certificate. This allows the attacker to forge arbitrary attestations, which is the basis for two attacks on remote attestation described in this paper. An attacker with these capabilities would be able to launch a man in the middle attack against the connection between the voting client and the voting server, allowing the attacker to manipulate the ballot. They could also create a forged voting client that can modify the ballot of any voter using it. Further, we argue about potential defense measures against these attacks. By utilizing an authenticated key exchange during the remote attestation we can prevent the man in the middle attack. However the anonymity provided by some signature schemes used in remote attestation makes it hard to detect and stop a forged voting client.